Name | weblogic_t3_deserialization |
CVE | CVE-2015-4852 |
Exploit Pack | CANVAS |
Description | weblogic_t3_deserialization |
Notes | CVE Name: CVE-2015-4852 VENDOR: Oracle NOTES: IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. Weblogic's AdminServer servlet allows remote administration (often unauthenticated) via the proprietary T3 protocol. This protocol is similar to RMI in the sense that it depends on the exchange of serialized Java objects that are then re-serialized. Apache Commons pre-3.2.2 allows users to serialize transformers on collection values. Of importance to us is the InvokerTransfomer, which is capable of invoking Java methods. We are able to run these transformers by adding them to an annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary code execution. Version support: Installer did not support the JVM version unless marked otherwise. > Ubuntu Linux 14.04.3 - x86 - 10.3.6 on Java SE 6 - 10.3.6 on JRockit 1.6 - NOT SUPPORTED - 12.2.1 on Java SE 8 () - 12.1.2 on Java SE 7 / 8 - 12.1.3 on Java SE 7 / 8 > Windows 7 Ultimate SP 1 x86 - 12.1.3 on Java SE 8 - FAILED - 12.1.3 on Java SE 7 - 12.1.2 on Java SE 7 - 12.2.1 on Java SE 8 - FAILED - 12.2.1 on Java SE 6 - Installer does not support Java version - 12.2.1 on Java SE 7 - Installer does not support Java version - 10.3.6 on Java SE 6 - 10.3.6 on JRockit 1.6 - NOT SUPPORTED Repeatability: One Shot References: ['http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/', 'https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread', 'http://www.oracle.com/technetwork/topcis/security/alert-cve-2015-4852-2763333.html', 'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7501'] CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852 |
Learn more about the CANVAS Exploit Pack here: CANVAS |