Vulnerabilities > CVE-2015-4852 - Deserialization of Untrusted Data vulnerability in Oracle products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
oracle
CWE-502
critical
nessus
exploit available
metasploit

Summary

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionWebsphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution. CVE-2015-4852. Remote exploit for Multiple platform
    idEDB-ID:44552
    last seen2018-05-24
    modified2016-07-20
    published2016-07-20
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/44552/
    titleWebsphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution
  • fileexploits/multiple/remote/46628.rb
    idEDB-ID:46628
    last seen2019-03-28
    modified2019-03-28
    platformmultiple
    port
    published2019-03-28
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46628
    titleOracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)
    typeremote
  • descriptionOracle WebLogic Server 10.3.6.0 - Java Deserialization. CVE-2015-4852. Remote exploit for Java platform
    fileexploits/java/remote/42806.py
    idEDB-ID:42806
    last seen2017-09-29
    modified2017-09-27
    platformjava
    port
    published2017-09-27
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/42806/
    titleOracle WebLogic Server 10.3.6.0 - Java Deserialization
    typeremote

Metasploit

descriptionAn unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (weblogic.jms.common.StreamMessageImpl) to the interface to execute code on vulnerable hosts.
idMSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_RAWOBJECT
last seen2020-06-05
modified2019-03-26
published2018-12-16
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb
titleOracle Weblogic Server Deserialization RCE - Raw Object

Nessus

  • NASL familyWeb Servers
    NASL idWEBLOGIC_2015_4852.NASL
    descriptionThe remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary Java code in the context of the WebLogic server.
    last seen2020-06-01
    modified2020-06-02
    plugin id87011
    published2015-11-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87011
    titleOracle WebLogic Java Object Deserialization RCE
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87011);
      script_version("1.22");
      script_cvs_date("Date: 2019/11/20");
    
      script_cve_id("CVE-2015-4852");
      script_bugtraq_id(77539);
      script_xref(name:"CERT", value:"576313");
      script_xref(name:"IAVA", value:"2015-A-0287");
    
      script_name(english:"Oracle WebLogic Java Object Deserialization RCE");
      script_summary(english:"Sends an unexpected Java object to the server.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Oracle WebLogic server is affected by a remote code
    execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote Oracle WebLogic server is affected by a remote code
    execution vulnerability in the WLS Security component due to unsafe
    deserialize calls of unauthenticated Java objects to the Apache
    Commons Collections (ACC) library. An unauthenticated, remote attacker
    can exploit this to execute arbitrary Java code in the context of the
    WebLogic server.");
      # https://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e0203be3");
      # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in the vendor
    advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4852");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - Raw Object');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/23");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("weblogic_detect.nasl", "t3_detect.nasl");
      script_require_ports("Services/t3", 7001);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("t3.inc");
    
    appname = "Oracle WebLogic Server";
    
    port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE);
    
    # Try to talk T3 to the server
    sock = open_sock_tcp(port);
    if (!sock) audit(AUDIT_SOCK_FAIL, port);
    version = t3_connect(sock:sock, port:port);
    
    # send ident so we can move on to login
    t3_send_ident_request(sock:sock, port:port);
    
    # send our "login request"
    auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00';
    # this is an org.apache.commons.collections.functors.ConstantTransforms object
    # that is part of the deserialization blacklist.
    auth_request += '\xac\xed\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01';
    auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2eauthenticate\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2eUserInfo\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff';
    send_t3(sock:sock, data:auth_request);
    
    # read in the response to our bad login request
    return_val = recv_t3(sock:sock);
    close(sock);
    
    if (isnull(return_val) ||
      "org.apache.commons.collections.functors.ConstantTransformer cannot be cast to" >!< return_val)
      audit(AUDIT_INST_VER_NOT_VULN, appname, version);
    
    report =
      '\nNessus was able to exploit a Java deserialization vulnerability by' +
      '\nsending a crafted Java object.' +
      '\n';
    security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
    
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL30518307.NASL
    descriptionCVE-2015-4852 Java applications that have an endpoint that accepts serialized Java objects, an attacker can combine serializable collections to create arbitrary remote code execution. Based on the FoxGlove, an attack can be done via RMI or HTTP. The vulnerability is actually in InvokerTransformer class. If class path exists for commons-collections or commons-collections4, the vulnerability exits in the application. Apache Collections-580 - Arbitrary remote code execution with InvokerTransformer With InvokerTransformer, serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id87432
    published2015-12-17
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87432
    titleF5 Networks BIG-IP : Java commons-collections library vulnerability (K30518307)

Packetstorm

Saint

bid77539
descriptionOracle WebLogic Apache Commons library deserialization vulnerability
idweb_dev_weblogic
titleweblogic_apache_commons_deserialization
typeremote

References