Oracle Security Alert for CVE-2015-4852


This Security Alert addresses security issue CVE-2015-4852, a deserialization vulnerability involving Apache Commons and Oracle WebLogic Server. This is a remote code execution vulnerability and is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

This Security Alert is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at:

Affected Products and Versions

Oracle WebLogic Server, versions,,, are affected.

  • Mitigation recommendations are available at MOS Note 2076338.1, and will be updated as new information becomes available.
  • Creation of Oracle WebLogic Server patches is in progress. Patch Availability information will be updated at MOS Note 2075927.1

Supported Products and Versions

Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.

Products in Extended Support

Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.

Oracle Cloud

The Oracle security and development teams are investigating this issue and are developing fixes for the affected products and services. The Oracle Cloud teams are evaluating these fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes.

Customers requiring additional information which is not addressed in this communication may obtain more information as follows:

  • Oracle Managed Cloud Services (OMCS) Customers should contact their Service Delivery Manager (SDM). CRM On Demand customers should request status via SR.
  • Oracle Cloud for Industry (OCI) and Micros Cloud Customers should contact
  • Oracle Public Cloud (OPC) Customers should submit a Service Request within their designated support system to request an update which is specific to the services they have purchased.

Patch Availability Table and Risk Matrix

The security fixes in this Security Alert are cumulative; the latest updates includes all fixes from previous Critical Patch Updates and Security Alerts.

Credit Statement

Matthias Kaiser of Code White reported security vulnerabilities to Oracle addressed by this Security Alert.


Modification History

Date Comments
2015-Nov-12 Rev 2. Versions Updated
2015-Nov-10 Rev 1. Initial Release

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-4852 Oracle WebLogic Server T3 WLS Security Yes 7.5 Network Low None Partial+ Partial+ Partial+,,,