Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Oracle WebLogic server is affected by a remote code
execution vulnerability.

Description :

The remote Oracle WebLogic server is affected by a remote code
execution vulnerability in the WLS Security component due to unsafe
deserialize calls of unauthenticated Java objects to the Apache
Commons File Upload library. An unauthenticated, remote attacker can
exploit this, via a crafted a DiskFileItem object, to execute
arbitrary code in the context of the WebLogic server.

See also :

http://www.nessus.org/u?bac902d5
http://www.nessus.org/u?e0204f30
https://www.tenable.com/security/research/tra-2016-33
http://www.zerodayinitiative.com/advisories/ZDI-16-572/

Solution :

Apply the appropriate patch according to the October 2016 Oracle
Critical Patch Update advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 94511 ()

Bugtraq ID: 93692

CVE ID: CVE-2016-5535

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now