#VU831 Arbitrary code execution in Oracle Web applications


Published: 2016-10-11 | Updated: 2017-01-05

Vulnerability identifier: #VU831

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3253

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oracle Health Sciences Clinical Development Center
Other software / Other software solutions
Oracle Retail Order Broker
Other software / Other software solutions
Oracle Retail Service Backbone
Other software / Other software solutions
Oracle Retail Store Inventory Management
Other software / Other software solutions
Oracle Big Data Discovery
Other software / Other software solutions
Oracle Retail Customer Insights
Other software / Other software solutions
Oracle Retail Merchandising Insights
Other software / Other software solutions
Oracle Agile PLM Framework
Universal components / Libraries / Software for developers
Oracle Commerce Platform
Web applications / E-Commerce systems

Vendor: Oracle

Description
The vulnerability allows a remote unauthenticated user to cause arbitrary code execution on the target system.
The weakness exists due to improper serialization of runtime/MethodClosure.java. By sending a specially crafted serialized objects attackers can trigger arbitrary code to be executed.
Successful explotation of the vulmerability results in arbitrary code execution or denial of service on the vulnerable system.

Mitigation
Update to version 2.4.5 or later.

Vulnerable software versions

Oracle Health Sciences Clinical Development Center: 3.1.1 - 3.1.2

Oracle Retail Order Broker: 4.1 - 15.0

Oracle Retail Service Backbone: 13.0 - 15.0

Oracle Retail Store Inventory Management: 13.2 - 14.1

Oracle Big Data Discovery: 1.1.1. - 1.2.0

Oracle Agile PLM Framework: 9.3.4 - 9.3.5

Oracle Commerce Platform: 10.0.3.5 - 11.2.0.1

Oracle Retail Customer Insights: 15.0

Oracle Retail Merchandising Insights: 15.0

External links
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3253
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in APM JBoss and APM WebLogic Agent
Multiple vulnerabilities in IBM Cloud Pak System
Multiple vulnerabilities in IBM Spectrum Control
Arbitrary code execution in Oracle Communications Converged Application Server - Service Controller