#VU831 Arbitrary code execution in Oracle products - CVE-2015-3253
Published: October 11, 2016 / Updated: January 5, 2017
Vulnerability identifier: #VU831
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2015-3253
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Oracle Health Sciences Clinical Development Center
Oracle Retail Order Broker
Oracle Retail Service Backbone
Oracle Retail Store Inventory Management
Oracle Big Data Discovery
Oracle Retail Customer Insights
Oracle Retail Merchandising Insights
Oracle Agile PLM Framework
Oracle Commerce Platform
Oracle Health Sciences Clinical Development Center
Oracle Retail Order Broker
Oracle Retail Service Backbone
Oracle Retail Store Inventory Management
Oracle Big Data Discovery
Oracle Retail Customer Insights
Oracle Retail Merchandising Insights
Oracle Agile PLM Framework
Oracle Commerce Platform
Software vendor:
Oracle
Oracle
Description
The vulnerability allows a remote unauthenticated user to cause arbitrary code execution on the target system.
The weakness exists due to improper serialization of runtime/MethodClosure.java. By sending a specially crafted serialized objects attackers can trigger arbitrary code to be executed.
Successful explotation of the vulmerability results in arbitrary code execution or denial of service on the vulnerable system.
The weakness exists due to improper serialization of runtime/MethodClosure.java. By sending a specially crafted serialized objects attackers can trigger arbitrary code to be executed.
Successful explotation of the vulmerability results in arbitrary code execution or denial of service on the vulnerable system.
Remediation
Update to version 2.4.5 or later.