ubuntu-cve-2015-4852
Vulnerability from osv_ubuntu
Published
2015-11-18 15:59
Modified
2026-05-28 12:44
Summary
Details
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Severity
9.8 (Critical)
9.8 (Critical)
N/A (UNKNOWN)
References
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libcommons-collections3-java",
"binary_version": "3.2.1-6ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "libcommons-collections3-java",
"purl": "pkg:deb/ubuntu/libcommons-collections3-java@3.2.1-6ubuntu0.1~esm1?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.1-6ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.2.1-5build1",
"3.2.1-6"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "openjdk-8-demo",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
},
{
"binary_name": "openjdk-8-jdk",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
},
{
"binary_name": "openjdk-8-jdk-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
},
{
"binary_name": "openjdk-8-jre",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
},
{
"binary_name": "openjdk-8-jre-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
},
{
"binary_name": "openjdk-8-jre-jamvm",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
},
{
"binary_name": "openjdk-8-jre-zero",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
},
{
"binary_name": "openjdk-8-source",
"binary_version": "8u492-ga~us2-0ubuntu1~16.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "openjdk-8",
"purl": "pkg:deb/ubuntu/openjdk-8@8u492-ga~us2-0ubuntu1~16.04.1?arch=source\u0026distro=esm-infra-legacy/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8u66-b01-5",
"8u72-b05-1ubuntu1",
"8u72-b05-5",
"8u72-b05-6",
"8u72-b15-1",
"8u72-b15-2ubuntu1",
"8u72-b15-2ubuntu3",
"8u72-b15-3ubuntu1",
"8u77-b03-1ubuntu2",
"8u77-b03-3ubuntu1",
"8u77-b03-3ubuntu2",
"8u77-b03-3ubuntu3",
"8u91-b14-0ubuntu4~16.04.1",
"8u91-b14-3ubuntu1~16.04.1",
"8u111-b14-2ubuntu0.16.04.2",
"8u121-b13-0ubuntu1.16.04.2",
"8u131-b11-0ubuntu1.16.04.2",
"8u131-b11-2ubuntu1.16.04.2",
"8u131-b11-2ubuntu1.16.04.3",
"8u151-b12-0ubuntu0.16.04.2",
"8u162-b12-0ubuntu0.16.04.2",
"8u171-b11-0ubuntu0.16.04.1",
"8u181-b13-0ubuntu0.16.04.1",
"8u181-b13-1ubuntu0.16.04.1",
"8u191-b12-0ubuntu0.16.04.1",
"8u191-b12-2ubuntu0.16.04.1",
"8u212-b03-0ubuntu1.16.04.1",
"8u222-b10-1ubuntu1~16.04.1",
"8u232-b09-0ubuntu1~16.04.1",
"8u242-b08-0ubuntu3~16.04",
"8u252-b09-1~16.04",
"8u265-b01-0ubuntu2~16.04",
"8u272-b10-0ubuntu1~16.04",
"8u275-b01-0ubuntu1~16.04",
"8u282-b08-0ubuntu1~16.04",
"8u292-b10-0ubuntu1~16.04.1",
"8u312-b07-0ubuntu1~16.04",
"8u342-b07-0ubuntu1~16.04",
"8u352-ga-1~16.04",
"8u362-ga-0ubuntu1~16.04.1",
"8u372-ga~us1-0ubuntu1~16.04",
"8u382-ga-1~16.04.1",
"8u392-ga-1~16.04",
"8u432-ga~us1-0ubuntu2~16.04.4",
"8u442-b06~us1-0ubuntu1~16.04",
"8u452-ga~us1-0ubuntu1~16.04.1",
"8u462-ga~us1-0ubuntu2~16.04.2",
"8u472-ga-1~16.04",
"8u482-ga~us1-0ubuntu1~16.04",
"8u492-ga~us2-0ubuntu1~16.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "openjdk-8-demo",
"binary_version": "8u492-ga~us2-0ubuntu1~18.04.1"
},
{
"binary_name": "openjdk-8-jdk",
"binary_version": "8u492-ga~us2-0ubuntu1~18.04.1"
},
{
"binary_name": "openjdk-8-jdk-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~18.04.1"
},
{
"binary_name": "openjdk-8-jre",
"binary_version": "8u492-ga~us2-0ubuntu1~18.04.1"
},
{
"binary_name": "openjdk-8-jre-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~18.04.1"
},
{
"binary_name": "openjdk-8-jre-zero",
"binary_version": "8u492-ga~us2-0ubuntu1~18.04.1"
},
{
"binary_name": "openjdk-8-source",
"binary_version": "8u492-ga~us2-0ubuntu1~18.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "openjdk-8",
"purl": "pkg:deb/ubuntu/openjdk-8@8u492-ga~us2-0ubuntu1~18.04.1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8u144-b01-2",
"8u151-b12-1",
"8u162-b12-1",
"8u171-b11-0ubuntu0.18.04.1",
"8u181-b13-0ubuntu0.18.04.1",
"8u181-b13-1ubuntu0.18.04.1",
"8u191-b12-0ubuntu0.18.04.1",
"8u191-b12-2ubuntu0.18.04.1",
"8u212-b03-0ubuntu1.18.04.1",
"8u222-b10-1ubuntu1~18.04.1",
"8u232-b09-0ubuntu1~18.04.1",
"8u242-b08-0ubuntu3~18.04",
"8u252-b09-1~18.04",
"8u265-b01-0ubuntu2~18.04",
"8u272-b10-0ubuntu1~18.04",
"8u275-b01-0ubuntu1~18.04",
"8u282-b08-0ubuntu1~18.04",
"8u292-b10-0ubuntu1~18.04",
"8u312-b07-0ubuntu1~18.04",
"8u342-b07-0ubuntu1~18.04",
"8u352-ga-1~18.04",
"8u362-ga-0ubuntu1~18.04.1",
"8u372-ga~us1-0ubuntu1~18.04",
"8u382-ga-1~18.04.1",
"8u392-ga-1~18.04",
"8u402-ga-2ubuntu1~18.04",
"8u412-ga-1~18.04.1",
"8u422-b05-1~18.04",
"8u432-ga~us1-0ubuntu2~18.04",
"8u442-b06~us1-0ubuntu1~18.04",
"8u452-ga~us1-0ubuntu1~18.04",
"8u462-ga~us1-0ubuntu2~18.04.2",
"8u472-ga-1~18.04",
"8u482-ga~us1-0ubuntu1~18.04",
"8u492-ga~us2-0ubuntu1~18.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "openjdk-8-demo",
"binary_version": "8u492-ga~us2-0ubuntu1~20.04.1"
},
{
"binary_name": "openjdk-8-jdk",
"binary_version": "8u492-ga~us2-0ubuntu1~20.04.1"
},
{
"binary_name": "openjdk-8-jdk-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~20.04.1"
},
{
"binary_name": "openjdk-8-jre",
"binary_version": "8u492-ga~us2-0ubuntu1~20.04.1"
},
{
"binary_name": "openjdk-8-jre-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~20.04.1"
},
{
"binary_name": "openjdk-8-jre-zero",
"binary_version": "8u492-ga~us2-0ubuntu1~20.04.1"
},
{
"binary_name": "openjdk-8-source",
"binary_version": "8u492-ga~us2-0ubuntu1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "openjdk-8",
"purl": "pkg:deb/ubuntu/openjdk-8@8u492-ga~us2-0ubuntu1~20.04.1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8u232-b09-0ubuntu1",
"8u232-b09-1",
"8u242-b04-1",
"8u242-b08-0ubuntu3",
"8u252-b07-1",
"8u252-b09-1ubuntu1",
"8u265-b01-0ubuntu2~20.04",
"8u272-b10-0ubuntu1~20.04",
"8u275-b01-0ubuntu1~20.04",
"8u282-b08-0ubuntu1~20.04",
"8u292-b10-0ubuntu1~20.04",
"8u312-b07-0ubuntu1~20.04",
"8u342-b07-0ubuntu1~20.04",
"8u352-ga-1~20.04",
"8u362-ga-0ubuntu1~20.04.1",
"8u372-ga~us1-0ubuntu1~20.04",
"8u382-ga-1~20.04.1",
"8u392-ga-1~20.04",
"8u402-ga-2ubuntu1~20.04",
"8u412-ga-1~20.04.1",
"8u422-b05-1~20.04",
"8u432-ga~us1-0ubuntu2~20.04",
"8u442-b06~us1-0ubuntu1~20.04",
"8u452-ga~us1-0ubuntu1~20.04",
"8u462-ga~us1-0ubuntu2~20.04.2",
"8u472-ga-1~20.04",
"8u482-ga~us1-0ubuntu1~20.04",
"8u492-ga~us2-0ubuntu1~20.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "openjdk-8-demo",
"binary_version": "8u492-ga~us2-0ubuntu1~22.04.1"
},
{
"binary_name": "openjdk-8-jdk",
"binary_version": "8u492-ga~us2-0ubuntu1~22.04.1"
},
{
"binary_name": "openjdk-8-jdk-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~22.04.1"
},
{
"binary_name": "openjdk-8-jre",
"binary_version": "8u492-ga~us2-0ubuntu1~22.04.1"
},
{
"binary_name": "openjdk-8-jre-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~22.04.1"
},
{
"binary_name": "openjdk-8-jre-zero",
"binary_version": "8u492-ga~us2-0ubuntu1~22.04.1"
},
{
"binary_name": "openjdk-8-source",
"binary_version": "8u492-ga~us2-0ubuntu1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "openjdk-8",
"purl": "pkg:deb/ubuntu/openjdk-8@8u492-ga~us2-0ubuntu1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8u302-b08-0ubuntu2",
"8u312-b07-0ubuntu1",
"8u342-b07-0ubuntu1~22.04",
"8u352-ga-1~22.04",
"8u362-ga-0ubuntu1~22.04",
"8u372-ga~us1-0ubuntu1~22.04",
"8u382-ga-1~22.04.1",
"8u392-ga-1~22.04",
"8u402-ga-2ubuntu1~22.04",
"8u412-ga-1~22.04.1",
"8u422-b05-1~22.04",
"8u432-ga~us1-0ubuntu2~22.04",
"8u442-b06~us1-0ubuntu1~22.04",
"8u452-ga~us1-0ubuntu1~22.04",
"8u462-ga~us1-0ubuntu2~22.04.2",
"8u472-ga-1~22.04",
"8u482-ga~us1-0ubuntu1~22.04",
"8u492-ga~us2-0ubuntu1~22.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "openjdk-8-demo",
"binary_version": "8u492-ga~us2-0ubuntu1~24.04.1"
},
{
"binary_name": "openjdk-8-jdk",
"binary_version": "8u492-ga~us2-0ubuntu1~24.04.1"
},
{
"binary_name": "openjdk-8-jdk-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~24.04.1"
},
{
"binary_name": "openjdk-8-jre",
"binary_version": "8u492-ga~us2-0ubuntu1~24.04.1"
},
{
"binary_name": "openjdk-8-jre-headless",
"binary_version": "8u492-ga~us2-0ubuntu1~24.04.1"
},
{
"binary_name": "openjdk-8-jre-zero",
"binary_version": "8u492-ga~us2-0ubuntu1~24.04.1"
},
{
"binary_name": "openjdk-8-source",
"binary_version": "8u492-ga~us2-0ubuntu1~24.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "openjdk-8",
"purl": "pkg:deb/ubuntu/openjdk-8@8u492-ga~us2-0ubuntu1~24.04.1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8u382-ga-1ubuntu1",
"8u392-ga-1",
"8u402-ga-1",
"8u402-ga-2",
"8u402-ga-2ubuntu1",
"8u402-ga-2ubuntu6",
"8u402-ga-2ubuntu7",
"8u402-ga-8build1",
"8u412-ga-1~24.04.2",
"8u422-b05-1~24.04",
"8u432-ga~us1-0ubuntu2~24.04",
"8u442-b06~us1-0ubuntu1~24.04",
"8u452-ga~us1-0ubuntu1~24.04",
"8u462-ga~us1-0ubuntu2~24.04.2",
"8u472-ga-1~24.04",
"8u482-ga~us1-0ubuntu1~24.04",
"8u492-ga~us2-0ubuntu1~24.04.1"
]
}
],
"aliases": [],
"details": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.",
"id": "UBUNTU-CVE-2015-4852",
"modified": "2026-05-28T12:44:00Z",
"published": "2015-11-18T15:59:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2015-4852"
},
{
"type": "REPORT",
"url": "https://issues.apache.org/jira/browse/COLLECTIONS-580"
},
{
"type": "REPORT",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
},
{
"type": "REPORT",
"url": "http://www.openwall.com/lists/oss-security/2015/11/09/1"
},
{
"type": "REPORT",
"url": "http://www.infoq.com/news/2015/11/commons-exploit"
},
{
"type": "REPORT",
"url": "https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread"
},
{
"type": "REPORT",
"url": "https://www.kb.cert.org/vuls/id/576313"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-4852"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6936-1"
},
{
"type": "REPORT",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"related": [
"USN-6936-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "high",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2015-4852"
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…