Your submission was sent successfully! Close

CVE-2015-4852

Published: 18 November 2015

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Notes

AuthorNote
sbeattie
according to infoq article and digging through openjdk
source, there is at least an embedded copy of xalan xslt in openjdk
which is also vulnerable, though it may be just an example of a
target class to overwrite via desrialization.
same as above for libxalan2-java
mdeslaur
This CVE was originally assigned to Oracle WebLogic, and then
was subsequently used by IBM Websphere. It has been proposed to
use it for commons-collections. See:
http://www.openwall.com/lists/oss-security/2015/11/15/1
Red Hat has assigned CVE-2015-7501 to the issue in
JBoss Middleware Suite
as of 2018-09-19, no indication that this is being fixed in
openjdk, or if it is an issue at all. Marking as ignored.
Priority

Low

Status

Package Release Status
libcommons-collections3-java
Launchpad, Ubuntu, Debian
artful Not vulnerable
(3.2.2-1)
bionic Not vulnerable
(3.2.2-1)
cosmic Not vulnerable
(3.2.2-1)
disco Not vulnerable
(3.2.2-1)
eoan Not vulnerable
(3.2.2-1)
focal Not vulnerable
(3.2.2-1)
groovy Not vulnerable
(3.2.2-1)
hirsute Not vulnerable
(3.2.2-1)
impish Not vulnerable
(3.2.2-1)
jammy Not vulnerable
(3.2.2-1)
kinetic Not vulnerable
(3.2.2-1)
precise Does not exist
(precise was needs-triage)
trusty Needed

upstream
Released (3.2.2)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(3.2.2-1)
yakkety Not vulnerable
(3.2.2-1)
zesty Not vulnerable
(3.2.2-1)
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1713307
upstream: http://svn.apache.org/viewvc?view=revision&revision=1713537

libcommons-collections4-java
Launchpad, Ubuntu, Debian
artful Not vulnerable
(4.1-1)
bionic Not vulnerable
(4.1-1)
cosmic Not vulnerable
(4.1-1)
disco Not vulnerable
(4.1-1)
eoan Not vulnerable
(4.1-1)
focal Not vulnerable
(4.1-1)
groovy Not vulnerable
(4.1-1)
hirsute Not vulnerable
(4.1-1)
impish Not vulnerable
(4.1-1)
jammy Not vulnerable
(4.1-1)
kinetic Not vulnerable
(4.1-1)
precise Does not exist

trusty Does not exist
(trusty was needed)
upstream
Released (4.1)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(4.1-1)
yakkety Not vulnerable
(4.1-1)
zesty Not vulnerable
(4.1-1)
Patches:


upstream: https://git-wip-us.apache.org/repos/asf?p=commons-collections.git;a=commit;h=b2b8f4adc557e4ef1ee2fe5e0ab46866c06ec55b
libxalan2-java
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable
(code not present)
cosmic Not vulnerable
(code not present)
disco Not vulnerable
(code not present)
eoan Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
hirsute Not vulnerable
(code not present)
impish Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
precise Does not exist
(precise was needs-triage)
trusty Not vulnerable
(code not present)
upstream Not vulnerable
(code not present)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(code not present)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
openjdk-6
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Does not exist
(precise was needs-triage)
trusty Does not exist
(trusty was ignored)
upstream Needs triage

vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

openjdk-7
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Does not exist
(precise was needs-triage)
trusty Does not exist
(trusty was ignored)
upstream Needs triage

vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

openjdk-8
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Ignored

cosmic Ignored

disco Ignored

eoan Ignored

focal Ignored

groovy Ignored

hirsute Ignored

impish Ignored

jammy Ignored

kinetic Ignored

precise Does not exist

trusty Does not exist

upstream Needs triage

vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Ignored

yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)