Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2015-4852

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Related bugs and status

CVE-2015-4852 (Candidate) is related to these bugs:

Bug #1514985: Arbitrary remote code execution with InvokerTransformer

Summary				In	Importance	Status
	1514985	Arbitrary remote code execution with InvokerTransformer		libcommons-collections3-java (Ubuntu)	Undecided	Confirmed
	1514985	Arbitrary remote code execution with InvokerTransformer		libcommons-collections4-java (Ubuntu)	Undecided	Confirmed

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2015111...
MISC: http://foxglovesecurit...
MISC: https://github.com/fox...
CONFIRM: http://www.oracle.com/...
CONFIRM: https://blogs.oracle.c...
CONFIRM: http://www.oracle.com/...
CONFIRM: http://www.oracle.com/...
BID: 77539
CONFIRM: http://www.oracle.com/...
SECTRACK: 1038292
EXPLOIT-DB: 42806
CONFIRM: http://www.oracle.com/...
CONFIRM: http://www.oracle.com/...
EXPLOIT-DB: 46628
MISC: http://packetstormsecu...