CVE-2015-4852
Published: 18 November 2015
Summary
CVE-2015-4852 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is a deserialization flaw (CWE-502) in the WLS Security component of Oracle WebLogic Server versions 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0. It resides in the bundled Apache Commons Collections library at oracle_common/modules/com.bea.core.apache.commons.collections.jar and is exposed over the T3 protocol on TCP port 7001. The issue permits processing of untrusted serialized Java objects, leading to a CVSS 3.1 base score of 9.8.
Remote attackers without authentication can exploit the flaw by sending a crafted serialized object in T3 traffic, resulting in arbitrary command execution on the server. The attack requires no user interaction and can be launched over the network with low complexity.
Oracle security advisories CPUApr2017 and CPUJan2018 address the issue through patches that restrict or disable unsafe deserialization paths in the affected WebLogic releases. Public exploit code and technical analyses have been published demonstrating remote code execution against unpatched instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-4869
Vulnerability details
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope…
more
of this CVE is limited to the WebLogic Server product.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization of untrusted Java objects by requiring validation/sanitization of T3 protocol input before processing.
Restricts network exposure of TCP port 7001/T3, blocking unauthenticated remote attackers from reaching the vulnerable WLS Security component.
Requires timely application of Oracle CPU patches that disable unsafe deserialization paths in the bundled Commons Collections library.