Advisory Details

July 21st, 2016

Oracle WebLogic JtaTransactionManager Deserialization of Untrusted Data Remote Code Execution Vulnerability

ZDI-16-441
ZDI-CAN-3588

CVE ID CVE-2016-3586
CVSS SCORE 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
AFFECTED VENDORS Oracle
AFFECTED PRODUCTS WebLogic
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle WebLogic. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the use of JtaTransactionManager. It is possible to execute arbitrary commands upon deserialization. The attacker can leverage this vulnerability to execute code in the context of the process.
ADDITIONAL DETAILS
DISCLOSURE TIMELINE
  • 2016-04-13 - Vulnerability reported to vendor
  • 2016-07-21 - Coordinated public release of advisory
CREDIT Alvaro Munoz (@pwntester) & Christian Schneider (@cschneider4711)
BACK TO ADVISORIES