Vulnerabilities > CVE-2016-5535 - Unspecified vulnerability in Oracle Weblogic Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, 12.2.1.0, and 12.2.1.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Nessus
NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_OCT_2016.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - An unspecified flaw exists in the Java Server Faces subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-3505) - An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5488) - An unspecified flaw exists in the WLS-WebServices subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-5531) - An unspecified flaw that allows an unauthenticated, remote attacker to execute arbitrary code. No other details are available. (CVE-2016-5535) - An unspecified flaw exists in the CIE Related subcomponent that allows a local attacker to impact confidentiality and integrity. (CVE-2016-5601) last seen 2020-06-01 modified 2020-06-02 plugin id 94290 published 2016-10-26 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/94290 title Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94290); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/30"); script_cve_id( "CVE-2015-7501", "CVE-2016-3505", "CVE-2016-3551", "CVE-2016-5488", "CVE-2016-5531", "CVE-2016-5535", "CVE-2016-5601" ); script_bugtraq_id( 78215, 93627, 93692, 93704, 93708, 93730 ); script_xref(name:"CERT", value:"576313"); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - An unspecified flaw exists in the Java Server Faces subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-3505) - An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5488) - An unspecified flaw exists in the WLS-WebServices subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-5531) - An unspecified flaw that allows an unauthenticated, remote attacker to execute arbitrary code. No other details are available. (CVE-2016-5535) - An unspecified flaw exists in the CIE Related subcomponent that allows a local attacker to impact confidentiality and integrity. (CVE-2016-5601)"); # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5"); # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2016 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:X"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3505"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/26"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_dependencies("oracle_weblogic_server_installed.nbin"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; # individual security patches if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.161018"; fix = "23743997"; } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.161018"; fix = "23744018"; } else if (version =~ "^12\.2\.1\.0($|[^0-9])") { fix_ver = "12.2.1.0.161018"; fix = "24286148"; } else if (version =~ "^12\.2\.1\.1($|[^0-9])") { fix_ver = "12.2.1.1.161018"; fix = "24286152"; } if (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) { port = 0; report = '\n Oracle home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Required patch : ' + fix + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
NASL family Web Servers NASL id WEBLOGIC_2016_5535.NASL description The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons File Upload library. An unauthenticated, remote attacker can exploit this, via a crafted a DiskFileItem object, to execute arbitrary code in the context of the WebLogic server. last seen 2020-06-01 modified 2020-06-02 plugin id 94511 published 2016-11-03 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94511 title Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94511); script_version("1.11"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5535"); script_bugtraq_id(93692); script_xref(name:"TRA", value:"TRA-2016-33"); script_xref(name:"ZDI", value:"ZDI-16-572"); script_name(english:"Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU)"); script_summary(english:"Sends a DiskFileItem object to the server."); script_set_attribute(attribute:"synopsis", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons File Upload library. An unauthenticated, remote attacker can exploit this, via a crafted a DiskFileItem object, to execute arbitrary code in the context of the WebLogic server."); # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5"); # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-33"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-572/"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2016 Oracle Critical Patch Update advisory. WebLogic 12.2.1.3 is also reported to be affected. Contact Oracle for a solution."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5535"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/18"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("weblogic_detect.nasl", "t3_detect.nasl"); script_require_ports("Services/t3", 7001); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("t3.inc"); appname = "Oracle WebLogic Server"; port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE); # Try to talk T3 to the server sock = open_sock_tcp(port); if (!sock) audit(AUDIT_SOCK_FAIL, port); version = t3_connect(sock:sock, port:port); # send ident so we can move on to login t3_send_ident_request(sock:sock, port:port); # send our "login request" auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'; # this is an org.apache.commons.fileupload.disk.DiskFileItem object that should not # be deserializable if the vulnerability was fixed auth_request += '\xac\xed\x00\x05\x73\x72\x00\x2f\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x66\x69\x6c\x65\x75\x70\x6c\x6f\x61\x64\x2e\x64\x69\x73\x6b\x2e\x44\x69\x73\x6b\x46\x69\x6c\x65\x49\x74\x65\x6d\x1f\x0d\x72\x26\x83\x9a\x88\x71\x03\x00\x0a\x5a\x00\x0b\x69\x73\x46\x6f\x72\x6d\x46\x69\x65\x6c\x64\x4a\x00\x04\x73\x69\x7a\x65\x49\x00\x0d\x73\x69\x7a\x65\x54\x68\x72\x65\x73\x68\x6f\x6c\x64\x5b\x00\x0d\x63\x61\x63\x68\x65\x64\x43\x6f\x6e\x74\x65\x6e\x74\x74\x00\x02\x5b\x42\x4c\x00\x0b\x63\x6f\x6e\x74\x65\x6e\x74\x54\x79\x70\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x08\x64\x66\x6f\x73\x46\x69\x6c\x65\x74\x00\x0e\x4c\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x46\x69\x6c\x65\x3b\x4c\x00\x09\x66\x69\x65\x6c\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x07\x68\x65\x61\x64\x65\x72\x73\x74\x00\x2f\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x66\x69\x6c\x65\x75\x70\x6c\x6f\x61\x64\x2f\x46\x69\x6c\x65\x49\x74\x65\x6d\x48\x65\x61\x64\x65\x72\x73\x3b\x4c\x00\x0a\x72\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x71\x00\x7e\x00\x03\x78\x70\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x02\x68\x69\x70\x71\x00\x7e\x00\x08\x71\x00\x7e\x00\x08\x70\x70\x78'; auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2eauthenticate\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2eUserInfo\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff'; send_t3(sock:sock, data:auth_request); # read in the response to our bad login request return_val = recv_t3(sock:sock); close(sock); if (isnull(return_val) || "org.apache.commons.fileupload.disk.DiskFileItem cannot be cast to weblogic.rjvm.ClassTableEntry" >!< return_val) audit(AUDIT_INST_VER_NOT_VULN, appname, version); report = '\nNessus was able to exploit a Java deserialization vulnerability by' + '\nsending a crafted Java object.' + '\n'; security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
References
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.securityfocus.com/bid/93692
- http://www.securityfocus.com/bid/93692
- http://www.securitytracker.com/id/1037052
- http://www.securitytracker.com/id/1037052
- https://www.tenable.com/security/research/tra-2016-33
- https://www.tenable.com/security/research/tra-2016-33