Oracle WebLogic Server Java Object Deserialization RCE (July 2016 CPU)
Critical Nessus Plugin ID 92606
SynopsisThe remote Oracle WebLogic server is affected by a remote code execution vulnerability.
DescriptionThe remote Oracle WebLogic Server is affected by a remote code execution vulnerability in the WLS Core component in the readObject() function due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted object payload, to bypass the ClassFilter.class blacklist and execute arbitrary Java code in the context of the WebLogic server.
SolutionApply the appropriate patch according to the July 2016 Oracle Critical Patch Update advisory.