Lucene search

K
canvasImmunity CanvasWEBLOGIC_T3_DESERIALIZATION
HistoryNov 09, 2017 - 5:29 p.m.

Immunity Canvas: WEBLOGIC_T3_DESERIALIZATION

2017-11-0917:29:00
Immunity Canvas
exploitlist.immunityinc.com
537

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.967 High

EPSS

Percentile

99.7%

Name weblogic_t3_deserialization
CVE CVE-2015-4852 Exploit Pack
VENDOR: Oracle
NOTES:
IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK.

Weblogic’s AdminServer servlet allows remote administration (often unauthenticated) via the
proprietary T3 protocol. This protocol is similar to RMI in the sense that it depends on the exchange
of serialized Java objects that are then re-serialized. Apache Commons pre-3.2.2 allows users to
serialize transformers on collection values. Of importance to us is the InvokerTransfomer, which
is capable of invoking Java methods. We are able to run these transformers by adding them to an
annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary
code execution.

Version support:
Installer did not support the JVM version unless marked otherwise.
> Ubuntu Linux 14.04.3 - x86
- 10.3.6 on Java SE 6
- 10.3.6 on JRockit 1.6 - NOT SUPPORTED
- 12.2.1 on Java SE 8 ()
- 12.1.2 on Java SE 7 / 8
- 12.1.3 on Java SE 7 / 8
> Windows 7 Ultimate SP 1 x86
- 12.1.3 on Java SE 8 - FAILED
- 12.1.3 on Java SE 7
- 12.1.2 on Java SE 7
- 12.2.1 on Java SE 8 - FAILED
- 12.2.1 on Java SE 6 - Installer does not support Java version
- 12.2.1 on Java SE 7 - Installer does not support Java version
- 10.3.6 on Java SE 6
- 10.3.6 on JRockit 1.6 - NOT SUPPORTED

Repeatability: One Shot
References: [‘http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/’, ‘https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread’, ‘http://www.oracle.com/technetwork/topcis/security/alert-cve-2015-4852-2763333.html’, ‘https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7501’]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.967 High

EPSS

Percentile

99.7%