According to Oracle website, following deserialization vulnerabilities are related to HTTP protocol.
CVE-2015-7501, CVE-2016-5535, CVE-2016-3586, CVE-2016-3510, etc.
But I do not understand why Weblogic says it is related to HTTP protocol.
Unless the server application expect a serialized java object as input through HTTP protocol, is there any other possible way to exploit these vulnerabilities?
You have to be able to trigger deserialization to exploit this. It is just saying that the protocol used when it is exploited is http. However, keep in mind that there are often default listeners that can be exploited. For example, JBoss allows for using adaptors for accessing MBean services over any supported protocols. For HTTP, the JBoss AS provides the HttpAdaptor. In a default installation, the HttpAdaptor is not activated. However, the HttpAdaptor's JMX Invoker is running and publicly available at the URL http://localhost:8080/invoker/JMXInvokerServlet.
CVE-2015-7501 is an exploit which involves which utilizes the lnvokerTransformer class found in the apache-commons-collections library to execute arbitrary code on the target machine. It involves sending carefully crafted Java serialized objects from a remote machine to the target machine where it is deserialized with the vulnerable apache-commons-collection library in the classpath. More details on the vulnerability can be found here.
The Weblogic server exposes HTTP services which allow Java serialized objects to be received hence it was affected by this vulnerability. A number of other products were also vulnerable to this as stated in the link above.
The other CVEs might be related to variations of the same issue but that's a guess since Oracle has not disclosed any details about them.
