Arbitrary code execution in Oracle Communications Converged Application Server - Service Controller
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-3253 |
| CWE-ID | CWE-502 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Communications Converged Application Server Server applications / Application servers |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Arbitrary code execution
EUVDB-ID: #VU831
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2015-3253
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated user to cause arbitrary code execution on the target system.
The weakness exists due to improper serialization of runtime/MethodClosure.java. By sending a specially crafted serialized objects attackers can trigger arbitrary code to be executed.
Successful explotation of the vulmerability results in arbitrary code execution or denial of service on the vulnerable system.
Install update from vendor's website.
Vulnerable software versionsOracle Communications Converged Application Server: 6.1
CPE2.3 External linkshttps://www.oracle.com/security-alerts/cpuapr2020.html?3333
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
