Oracle WebLogic Server Java Object Deserialization RCE (April 2016 CPU)
Critical Nessus Plugin ID 90709
SynopsisThe remote Oracle WebLogic server is affected by a remote code execution vulnerability.
DescriptionThe remote Oracle WebLogic Server is affected by a remote code execution vulnerability in the Java Messaging Service subcomponent in the readExternal() function due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted object payload, to bypass the ClassFilter.class blacklist and execute arbitrary Java code in the context of the WebLogic server.
SolutionApply the appropriate patch according to the April 2016 Oracle Critical Patch Update advisory.