Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Apache Commons Collections

Summary Multiple vulnerabilities have been identified in Apache Commons Collections, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2017-15708 DESCRIPTION: Apac...

Security Bulletin: Multiple vulnerabilities of Apache common collections (commons-collections-3.2.jar) have affected APM WebSphere Application Server Agent

Summary APM WebSphere Application Server Agent is vulnerable to Apache common collections commons-collections-3.2.jar. The fix includes commons-collections-3.2.jar upgraded to commons-collections-3.2.2.jar. CVE-2015-4852, CVE-2017-15708 and CVE-2019-13116 Vulnerability Details CVEID:CVE-2015-4852...

SUSE CVE-2015-4852

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to...

Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Oracle Weblogic Server Deserialization RCE - Raw Object', 'Description' = %q An unauthenticated attacker wi...

Oracle Weblogic Server Deserialization RCE - Raw Object

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object weblogic.jms.common.StreamMessageImpl to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...

CVE-2015-4852

creationtimestamp| type| source ---|---|--- 2018-01-05 01:08:44+00:00| seen| MISP/5a4ecbf4-1b24-4a5f-9f4d-4b7c98036464 2019-03-26 22:18:44+00:00| seen| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogicdeserializerawobject.rb 2019-03-28 00:00:00+00:00|...

Immunity Canvas: WEBLOGIC_T3_DESERIALIZATION

Name| weblogict3deserialization ---|--- CVE| CVE-2015-4852 Exploit Pack| CANVAS Description| weblogict3deserialization Notes| CVE Name: CVE-2015-4852 VENDOR: Oracle NOTES: IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK...

Oracle WebLogic Server 10.3.6.0 - Java Deserialization Exploit

Exploit for java platform in category remote exploits Exploit Title: Oracle WebLogic Server Java Deserialization Remote Code Execution Date: 27/09/2017 Exploit Author: SlidingWindow , Twitter: @kapilkhot Vulnerability Author: FoxGloveSecurity Vendor Homepage:...

Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution

Exploit Title: Oracle WebLogic Server Java Deserialization Remote Code Execution Date: 27/09/2017 Exploit Author: SlidingWindow , Twitter: @kapilkhot Vulnerability Author: FoxGloveSecurity Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html Affetcted Version...

Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution

Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution Exploit Title: Oracle WebLogic Server Java Deserialization Remote Code Execution Date: 27/09/2017 Exploit Author: SlidingWindow , Twitter: @kapilkhot Vulnerability Author: FoxGloveSecurity Vendor Homepage:...

Oracle WebLogic Server Java Deserialization / RCE Vulnerability (CVE-2015-4852) - Active Check

Oracle WebLogic Server is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Exploit for Deserialization of Untrusted Data in Oracle Virtual_Desktop_Infrastructure

serialator Python script to exploit CVE-2015-4852. Descrip...

Oracle Critical Patch Update - January 2016

A Critical Patch Update CPU is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update...

F5 Networks BIG-IP : Java commons-collections library vulnerability (K30518307)

CVE-2015-4852 Java applications that have an endpoint that accepts serialized Java objects, an attacker can combine serializable collections to create arbitrary remote code execution. Based on the FoxGlove, an attack can be done via RMI or HTTP. The vulnerability is actually in InvokerTransformer...

Oracle WebLogic Apache Commons library deserialization vulnerability

Added: 11/20/2015 CVE: CVE-2015-4852 BID: 77539 Background Oracle WebLogic Server formerly BEA WebLogic Server is a Java web application platform. Apache Commons is a widely used Java library which is included in WebLogic Server. Problem A vulnerability in the Apache Commons library used by Oracl...

CVE-2015-4852

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to...

CVE-2015-4852

CVE-2015-4852 describes a remote code execution in Oracle WebLogic Server via deserialization of untrusted data in the WLS Security component. A crafted serialized Java object (via Apache Commons Collections) in T3 protocol traffic to TCP port 7001 can execute arbitrary commands. Affected version...

CVE-2015-4852

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to...

Oracle WebLogic Server Java Deserialization / RCE Vulnerability (CVE-2015-4852) - Version Check

Oracle WebLogic Server is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Potential Remote Code Execution Via Java Object Deserialization

Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable...