Vulnerabilities > CVE-2016-0638 - Unspecified vulnerability in Oracle Weblogic Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Messaging Service.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Nessus
NASL family | Web Servers |
NASL id | WEBLOGIC_2016_0638.NASL |
description | The remote Oracle WebLogic Server is affected by a remote code execution vulnerability in the Java Messaging Service subcomponent in the readExternal() function due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted object payload, to bypass the ClassFilter.class blacklist and execute arbitrary Java code in the context of the WebLogic server. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 90709 |
published | 2016-04-26 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/90709 |
title | Oracle WebLogic Server Java Object Deserialization RCE (April 2016 CPU) |
References
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.securitytracker.com/id/1035615
- http://www.securitytracker.com/id/1035615
- https://www.tenable.com/security/research/tra-2016-09
- https://www.tenable.com/security/research/tra-2016-09