Oracle WebLogic Java Object Deserialization RCE

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Oracle WebLogic server is affected by a remote code
execution vulnerability.

Description :

The remote Oracle WebLogic server is affected by a remote code
execution vulnerability in the WLS Security component due to unsafe
deserialize calls of unauthenticated Java objects to the Apache
Commons Collections (ACC) library. An unauthenticated, remote attacker
can exploit this to execute arbitrary Java code in the context of the
WebLogic server.

See also :

http://www.nessus.org/u?e643827d
http://www.nessus.org/u?e0204f30

Solution :

Upgrade to the relevant fixed version referenced in the vendor
advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 87011 ()

Bugtraq ID: 77539

CVE ID: CVE-2015-4852

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now