http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

1035615

https://www.tenable.com/security/research/tra-2016-09

The remote Oracle WebLogic Server is affected by a remote code execution vulnerability in the Java Messaging Service subcomponent in the readExternal() function due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted object payload, to bypass the ClassFilter.class blacklist and execute arbitrary Java code in the context of the WebLogic server.

The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities :

  - A remote code execution vulnerability exists in the Java     Messaging Service subcomponent in the readExternal()     function due to improper sanitization of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via a crafted object payload, to bypass the     ClassFilter.class blacklist and execute arbitrary Java     code. (CVE-2016-0638)

  - Multiple unspecified vulnerabilities exist in the     Console subcomponent that allow a remote attacker to     affect confidentiality and integrity. (CVE-2016-0675,     CVE-2016-0696, CVE-2016-0700, CVE-2016-3416)

  - An unspecified vulnerability exists in the Core     Components subcomponent that allows a remote attacker to     affect integrity. (CVE-2016-0688)

ID	Name	Product	Family	Severity
90709	Oracle WebLogic Server Java Object Deserialization RCE (April 2016 CPU)	Nessus	Web Servers	critical
90679	Oracle WebLogic Server Multiple Vulnerabilities (April 2016 CPU)	Nessus	Misc.	critical

CVE-2016-0638

critical

Tenable Plugins

critical

critical