Lucene search

SAINT CorporationSAINT:9870FA2AA27A04C7E50DC7E0A2A344D0

HistoryMay 27, 2020 - 12:00 a.m.

Oracle WebLogic Server BadAttributeValueExpException deserialization

2020-05-2700:00:00

SAINT Corporation

download.saintcorporation.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.964 High

EPSS

Percentile

99.5%

JSON

Added: 05/27/2020
CVE: CVE-2020-2555

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Problem

A Java object deserialization vulnerability in WebLogic allows unauthenticated remote code execution by sending a serialized **BadAttributeValueExpException** object over the T3 protocol.

Resolution

Apply the patch referenced in Oracle Critical Patch Update Advisory - January 2020.

References

<https://www.oracle.com/security-alerts/cpujan2020.html>

Limitations

Exploit works on Oracle WebLogic Server 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0 on Windows.

Platforms

Windows

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.964 High

EPSS

Percentile

99.5%

JSON

Related for SAINT:9870FA2AA27A04C7E50DC7E0A2A344D0