Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2015-4852

Disclosure Date: November 18, 2015
CVE-2015-4852 CVSS v3 Base Score: 9.8
Exploited in the Wild
Reported by gwillcox-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Add Assessment

1
Technical Analysis

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/multi/misc/weblogic_deserialize_rawobject
Reporter
Unknown

Vendors

  • oracle

Products

  • storagetek tape analytics sw tool 2.3,
  • virtual desktop infrastructure,
  • weblogic server 10.3.6.0.0,
  • weblogic server 12.1.2.0.0,
  • weblogic server 12.1.3.0.0,
  • weblogic server 12.2.1.0.0

Exploited in the Wild

Reported by:

References

Canonical
CVE-2015-4852 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852)
BID-77539 (http://www.securityfocus.com/bid/77539)
Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852
SECTRACK-1038292 (http://www.securitytracker.com/id/1038292)
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
[oss-security] 20151117 Re: Assign CVE for common-collections remote code execution on deserialisation flaw (http://www.openwall.com/lists/oss-security/2015/11/17/19)
EXPLOIT-DB-42806 (https://www.exploit-db.com/exploits/42806)
EXPLOIT-DB-46628 (https://www.exploit-db.com/exploits/46628)
Exploited in the Wild By Chinese APTs (https://us-cert.cisa.gov/ncas/alerts/aa20-275a)
Miscellaneous
https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html
Exploited in the Wild Gov Advisory (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis