Oracle WebLogic Server BadAttributeValueExpException deserialization

Added: 05/27/2020
CVE: CVE-2020-2555

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Problem

A Java object deserialization vulnerability in WebLogic allows unauthenticated remote code execution by sending a serialized BadAttributeValueExpException object over the T3 protocol.

Resolution

Apply the patch referenced in Oracle Critical Patch Update Advisory - January 2020.

References

https://www.oracle.com/security-alerts/cpujan2020.html

Limitations

Exploit works on Oracle WebLogic Server 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0 on Windows.

Platforms

Windows

Back to exploit index