Vulnerability identifier: #VU831
Vulnerability risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-502
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Oracle Health Sciences Clinical Development Center
Other software /
Other software solutions
Oracle Retail Order Broker
Other software /
Other software solutions
Oracle Retail Service Backbone
Other software /
Other software solutions
Oracle Retail Store Inventory Management
Other software /
Other software solutions
Oracle Big Data Discovery
Other software /
Other software solutions
Oracle Retail Customer Insights
Other software /
Other software solutions
Oracle Retail Merchandising Insights
Other software /
Other software solutions
Oracle Agile PLM Framework
Universal components / Libraries /
Software for developers
Oracle Commerce Platform
Web applications /
E-Commerce systems
Vendor: Oracle
Description
The vulnerability allows a remote unauthenticated user to cause arbitrary code execution on the target system.
The weakness exists due to improper serialization of runtime/MethodClosure.java. By sending a specially crafted serialized objects attackers can trigger arbitrary code to be executed.
Successful explotation of the vulmerability results in arbitrary code execution or denial of service on the vulnerable system.
Mitigation
Update to version 2.4.5 or later.
Vulnerable software versions
Oracle Health Sciences Clinical Development Center: 3.1.1 - 3.1.2
Oracle Retail Order Broker: 4.1 - 15.0
Oracle Retail Service Backbone: 13.0 - 15.0
Oracle Retail Store Inventory Management: 13.2 - 14.1
Oracle Big Data Discovery: 1.1.1. - 1.2.0
Oracle Agile PLM Framework: 9.3.4 - 9.3.5
Oracle Commerce Platform: 10.0.3.5 - 11.2.0.1
Oracle Retail Customer Insights: 15.0
Oracle Retail Merchandising Insights: 15.0
External links
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3253
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.