This Security Alert addresses security issue CVE-2015-4852, a deserialization vulnerability involving Apache Commons and Oracle WebLogic Server. This is a remote code execution vulnerability and is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
This Security Alert is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: https://www.oracle.com/security-alerts/cpufaq.html#CVRF.
Oracle WebLogic Server, versions 10.3.6.0, 184.108.40.206, 220.127.116.11, 18.104.22.168 are affected.
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.
Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.
The Oracle security and development teams are investigating this issue and are developing fixes for the affected products and services. The Oracle Cloud teams are evaluating these fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes.
Customers requiring additional information which is not addressed in this communication may obtain more information as follows:
The security fixes in this Security Alert are cumulative; the latest updates includes all fixes from previous Critical Patch Updates and Security Alerts.
Matthias Kaiser of Code White reported security vulnerabilities to Oracle addressed by this Security Alert.
|2015-Nov-12||Rev 2. Versions Updated|
|2015-Nov-10||Rev 1. Initial Release|
This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
|CVE#||Component||Protocol||Sub-component||Remote Exploit without Auth.?||CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)||Supported Versions Affected||Notes|
|Base Score||Access Vector||Access Complexity||Authentication||Confidentiality||Integrity||Availability|
|CVE-2015-4852||Oracle WebLogic Server||T3||WLS Security||Yes||7.5||Network||Low||None||Partial+||Partial+||Partial+||10.3.6.0, 22.214.171.124, 126.96.36.199,