Lucene search
This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.F5_BIGIP_SOL30518307.NASLHistoryDec 17, 2015 - 12:00 a.m.
F5 Networks BIG-IP : Java commons-collections library vulnerability (K30518307)
2015-12-1700:00:00
This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
655
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.967 High
EPSS
Percentile
99.7%
CVE-2015-4852 Java applications that have an endpoint that accepts serialized Java objects, an attacker can combine serializable collections to create arbitrary remote code execution. Based on the FoxGlove, an attack can be done via RMI or HTTP. The vulnerability is actually in InvokerTransformer class. If class path exists for commons-collections or commons-collections4, the vulnerability exits in the application.
Apache Collections-580 - Arbitrary remote code execution with InvokerTransformer With InvokerTransformer, serializable collections can be build that execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, โฆ) you can combine the two to create arbitrary remote code execution vulnerability.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K30518307.
#
# The text description of this plugin is (C) F5 Networks.
#
include('compat.inc');
if (description)
{
script_id(87432);
script_version("2.22");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");
script_cve_id("CVE-2015-4852");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CEA-ID", value:"CEA-2020-0129");
script_name(english:"F5 Networks BIG-IP : Java commons-collections library vulnerability (K30518307)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"CVE-2015-4852 Java applications that have an endpoint that accepts
serialized Java objects, an attacker can combine serializable
collections to create arbitrary remote code execution. Based on the
FoxGlove, an attack can be done via RMI or HTTP. The vulnerability is
actually in InvokerTransformer class. If class path exists for
commons-collections or commons-collections4, the vulnerability exits
in the application.
Apache Collections-580 - Arbitrary remote code execution with
InvokerTransformer With InvokerTransformer, serializable collections
can be build that execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an
endpoint that accepts serialized Java objects (JMX, RMI, remote EJB,
...) you can combine the two to create arbitrary remote code execution
vulnerability.");
script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/COLLECTIONS-580");
script_set_attribute(attribute:"see_also", value:"https://support.f5.com/csp/article/K30518307");
script_set_attribute(attribute:"solution", value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K30518307.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - Raw Object');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/18");
script_set_attribute(attribute:"patch_publication_date", value:"2015/12/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/17");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_wan_optimization_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"F5 Networks Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("f5_bigip_detect.nbin");
script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");
exit(0);
}
include("f5_func.inc");
if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");
sol = "K30518307";
vmatrix = make_array();
if (report_paranoia < 2) audit(AUDIT_PARANOID);
# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected" ] = make_list("12.0.0","11.3.0-11.6.1");
vmatrix["AFM"]["unaffected"] = make_list("12.1.0");
# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected" ] = make_list("12.0.0","11.4.0-11.6.1");
vmatrix["AM"]["unaffected"] = make_list("12.1.0");
# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected" ] = make_list("12.0.0","11.0.0-11.6.1");
vmatrix["APM"]["unaffected"] = make_list("12.1.0","10.1.0-10.2.4");
# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected" ] = make_list("12.0.0","11.0.0-11.6.1");
vmatrix["ASM"]["unaffected"] = make_list("12.1.0","10.1.0-10.2.4");
# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected" ] = make_list("12.0.0","11.0.0-11.6.1");
vmatrix["AVR"]["unaffected"] = make_list("12.1.0");
# GTM
vmatrix["GTM"] = make_array();
vmatrix["GTM"]["affected" ] = make_list("11.0.0-11.6.1");
vmatrix["GTM"]["unaffected"] = make_list("10.1.0-10.2.4");
# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected" ] = make_list("12.0.0","11.0.0-11.6.1");
vmatrix["LC"]["unaffected"] = make_list("12.1.0","10.1.0-10.2.4");
# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected" ] = make_list("12.0.0","11.0.0-11.6.1");
vmatrix["LTM"]["unaffected"] = make_list("12.1.0","10.1.0-10.2.4");
# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected" ] = make_list("12.0.0","11.3.0-11.6.1");
vmatrix["PEM"]["unaffected"] = make_list("12.1.0");
# PSM
vmatrix["PSM"] = make_array();
vmatrix["PSM"]["affected" ] = make_list("11.0.0-11.4.1");
vmatrix["PSM"]["unaffected"] = make_list("10.1.0-10.2.4");
# WAM
vmatrix["WAM"] = make_array();
vmatrix["WAM"]["affected" ] = make_list("11.0.0-11.3.0");
vmatrix["WAM"]["unaffected"] = make_list("10.1.0-10.2.4");
# WOM
vmatrix["WOM"] = make_array();
vmatrix["WOM"]["affected" ] = make_list("11.0.0-11.3.0");
vmatrix["WOM"]["unaffected"] = make_list("10.1.0-10.2.4");
if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = bigip_get_tested_modules();
audit_extra = "For BIG-IP module(s) " + tested + ",";
if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| f5 | big-ip_access_policy_manager | cpe:/a:f5:big-ip_access_policy_manager | |
| f5 | big-ip_advanced_firewall_manager | cpe:/a:f5:big-ip_advanced_firewall_manager | |
| f5 | big-ip_application_acceleration_manager | cpe:/a:f5:big-ip_application_acceleration_manager | |
| f5 | big-ip_application_security_manager | cpe:/a:f5:big-ip_application_security_manager | |
| f5 | big-ip_application_visibility_and_reporting | cpe:/a:f5:big-ip_application_visibility_and_reporting | |
| f5 | big-ip_global_traffic_manager | cpe:/a:f5:big-ip_global_traffic_manager | |
| f5 | big-ip_link_controller | cpe:/a:f5:big-ip_link_controller | |
| f5 | big-ip_local_traffic_manager | cpe:/a:f5:big-ip_local_traffic_manager | |
| f5 | big-ip_policy_enforcement_manager | cpe:/a:f5:big-ip_policy_enforcement_manager | |
| f5 | big-ip_wan_optimization_manager | cpe:/a:f5:big-ip_wan_optimization_manager |
Related
cisa_kev
cisa_kev
Oracle WebLogic Server Deserialization of Untrusted Data Vulnerability
2021-11-03 00:00:00
nvd
nvd
CVE-2015-4852
2015-11-18 15:59:00
cvelist
cvelist
CVE-2015-4852
2015-11-18 15:00:00
f5
f5
K30518307 : Java commons-collections library vulnerability CVE-2015-4852
2015-12-15 00:00:00
SOL30518307 - Java commons-collections library vulnerability CVE-2015-4852
2015-12-15 00:00:00
zdt
zdt
Oracle WebLogic Server 10.3.6.0 - Java Deserialization Exploit
2017-09-28 00:00:00
exploitpack
exploitpack
Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution
2017-09-27 00:00:00
packetstorm
packetstorm
Oracle WebLogic Server Java Deserialization Remote Code Execution
2017-09-29 00:00:00
Oracle Weblogic Server Deserialization Remote Code Execution
2019-03-27 00:00:00
openvas
openvas
Oracle WebLogic Server Java Deserialization Vulnerability
2016-07-27 00:00:00
Oracle WebLogic Server Remote Code Execution Vulnerability
2015-11-17 00:00:00
Zimbra < 8.7.0 Multiple Vulnerabilities
2017-02-01 00:00:00
attackerkb
attackerkb
CVE-2015-4852
2015-11-18 00:00:00
checkpoint_advisories
checkpoint_advisories
cve
cve
CVE-2015-4852
2015-11-18 15:59:00
saint
saint
Oracle WebLogic Apache Commons library deserialization vulnerability
2015-11-20 00:00:00
Oracle WebLogic Apache Commons library deserialization vulnerability
2015-11-20 00:00:00
Oracle WebLogic Apache Commons library deserialization vulnerability
2015-11-20 00:00:00
prion
prion
Code injection
2015-11-18 15:59:00
nessus
nessus
Oracle WebLogic Java Object Deserialization RCE
2015-11-23 00:00:00
Oracle WebLogic Server Multiple Vulnerabilities (January 2016 CPU)
2016-01-21 00:00:00
exploitdb
exploitdb
Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution
2017-09-27 00:00:00
ubuntucve
ubuntucve
CVE-2015-4852
2015-11-18 00:00:00
myhack58
myhack58
canvas
canvas
Immunity Canvas: WEBLOGIC_T3_DESERIALIZATION
2017-11-09 17:29:00
ibm
ibm
Security Bulletin: The IBMยฎ Engineering Lifecycle Management is impacted by vulnerabilties in Apache Commons Collections
2024-06-05 07:14:06
veracode
veracode
Potential Remote Code Execution Via Java Object Deserialization
2015-11-09 19:34:22
githubexploit
githubexploit
Exploit for Command Injection in Oracle Virtual Desktop Infrastructure
2020-08-10 09:17:04
cert
cert
Apache Commons Collections Java library insecurely deserializes data
2015-11-13 00:00:00
kitploit
kitploit
Jok3R - Network And Web Pentest Framework
2019-01-23 12:25:00
threatpost
threatpost
Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks
2020-10-21 20:31:17
qualysblog
qualysblog
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
2020-10-22 23:10:29
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00
ics
ics
Potential for China Cyber Response to Heightened U.S.โChina Tensions
2020-10-20 12:00:00
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08
oracle
oracle
Oracle Critical Patch Update - October 2016
2016-10-18 00:00:00
Oracle Critical Patch Update - January 2018
2018-01-16 00:00:00
Oracle Critical Patch Update - January 2016
2016-01-19 00:00:00
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.967 High
EPSS
Percentile
99.7%
Related for F5_BIGIP_SOL30518307.NASL