module
WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp
| Disclosed |
|---|
| Apr 30, 2020 |
Disclosed
Apr 30, 2020
Description
There exists a Java object deserialization vulnerability
in multiple versions of WebLogic.
Unauthenticated remote code execution can be achieved by
sending a serialized `BadAttributeValueExpException`
object over the T3 protocol to vulnerable versions of
WebLogic. Leveraging an `ExtractorComparator` enables
the ability to trigger `method.invoke()`, which will
execute arbitrary code.
in multiple versions of WebLogic.
Unauthenticated remote code execution can be achieved by
sending a serialized `BadAttributeValueExpException`
object over the T3 protocol to vulnerable versions of
WebLogic. Leveraging an `ExtractorComparator` enables
the ability to trigger `method.invoke()`, which will
execute arbitrary code.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.