Apache Commons Vulnerability Affecting Oracle WebLogic Server (CVE-2015-4852)

November 13, 2015

Summary

A serious vulnerability in Apache Commons, a library that contains a widely used set of Java components maintained by the Apache Software Foundation, puts thousands of Java applications and servers at risk of remote code execution attacks [1]. The library is used by default in multiple Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.

In response Oracle has released a Security Alert for security issue CVE-2015-4852, affecting Oracle WebLogic Server [2].

Impact

This is a remote code execution vulnerability and is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Vulnerable

  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0, 12.2.1.0 are affected.
  • Product releases that are not under Oracle Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.
  • Other Java applications and application servers that utilize Apache Commons may be vulnerable

Recommendations

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by the Security Alert as soon as possible.

Patch availability information for Oracle products is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that Oracle users remain on actively supported versions to ensure that they continue to receive security fixes.

Mitigation recommendations are also available from Oracle [2] and Apache [3].

If you administer a Java web application on campus, it is highly recommended you determine if your application or Java application server is affected by this deserialization vulnerability. If you administer a web-based product built on Java, contact your vendor [3][4].

References