Oracle recently released its Critical Patch Update (CPU) for July 2016, and there is a vulnerability addressed by this CPU that WebLogic administrators need to know about. At M&S Consulting, we have been facilitating the application of the appropriate patches required to address this and other vulnerabilities. It is very important to apply this most recent CPU as soon as possible, as one of the vulnerabilities it addresses, CVE-2016-3510, is relatively easy to exploit and can cause serious problems.
CVE-2016-3510 affects all versions of Oracle WebLogic Server since 10.3.6. So major versions such as 10.3.6, 12.1.3, and 12.2.1 and their point releases are impacted. The exploitation of this vulnerability is easy and can be initiated remotely by an unauthenticated attacker. The problem is caused by unsafe deserialize calls to the weblogic.corba.utils.MarshallObject object. By executing arbitrary code using a known blacklist bypass, the attacker will be able to gain network access via HTTP to compromise and possibly take over the Oracle WebLogic Server.
Apply the appropriate patch from the list below to address this and other WebLogic vulnerabilities. If you have applied previous CPU patches, you will need to remove them first and then apply the newer patch set. These patch sets are cumulative so any prior fixes will be included.
|Patch Name||Description||WebLogic Server Release|
|23094342||SU Patch [UIAL]: WLS PATCH SET UPDATE 10.3.6.0.160719 (Patch)||10.3.6.0|
|23094292||WLS PATCH SET UPDATE 18.104.22.168.160719 (Patch)||22.214.171.124.0|
|23094285||WLS PATCH SET UPDATE 126.96.36.199.160719 (Patch)||188.8.131.52.0|