Oracle WebLogic Apache Commons library deserialization vulnerability

Added: 11/20/2015
CVE: CVE-2015-4852
BID: 77539

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Apache Commons is a widely used Java library which is included in WebLogic Server.

Problem

A vulnerability in the Apache Commons library used by Oracle WebLogic allows remote attackers to execute arbitrary commands by sending a specially crafted serialized Java object within a T3 request.

Resolution

Apply the update referenced in the Oracle Security Alert.

References

https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Limitations

Exploit works on Oracle WebLogic 12.2.1 for Linux.

Platforms

Linux

Back to exploit index