ID CVE-2016-5535
Summary Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, 12.2.1.0, and 12.2.1.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
References
Vulnerable Configurations
  • Oracle Weblogic Server 10.3.6.0.0
    cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0
  • Oracle Weblogic Server 12.1.3.0.0
    cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0
  • Oracle Weblogic Server 12.2.1.0.0
    cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0
  • Oracle Weblogic Server 12.2.1.1.0
    cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0
CVSS
Base: 7.5 (as of 26-10-2016 - 12:57)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Misc.
    NASL id ORACLE_WEBLOGIC_SERVER_CPU_OCT_2016.NASL
    description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - An unspecified flaw exists in the Java Server Faces subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-3505) - An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5488) - An unspecified flaw exists in the WLS-WebServices subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-5531) - An unspecified flaw that allows an unauthenticated, remote attacker to execute arbitrary code. No other details are available. (CVE-2016-5535) - An unspecified flaw exists in the CIE Related subcomponent that allows a local attacker to impact confidentiality and integrity. (CVE-2016-5601)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 94290
    published 2016-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94290
    title Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)
  • NASL family Web Servers
    NASL id WEBLOGIC_2016_5535.NASL
    description The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons File Upload library. An unauthenticated, remote attacker can exploit this, via a crafted a DiskFileItem object, to execute arbitrary code in the context of the WebLogic server.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 94511
    published 2016-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94511
    title Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU)
refmap via4
bid 93692
confirm http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
misc https://www.tenable.com/security/research/tra-2016-33
sectrack 1037052
Last major update 23-12-2016 - 21:59
Published 25-10-2016 - 10:30
Last modified 30-10-2018 - 12:27
Back to Top