WebLogic WLS Deserialization RCE : CVE-2017-10271

In the month of October 2017 a Java deserialization vulnerability was disclosed to Oracle. The vulnerability is assigned CVE-2017-10271. Oracle has addressed this issue by releasing patches in October. Upon successful exploitation an attacker can achieve remote code execution with out authentication. An attacker sends a custom XML request to CoordinatorPortType web service, this causes the XML parser to deserialize and create attacker specific Java objects. Code execution is achieved by invoking the methods associated to the objects.

The affected WebLogic versions are:
– 10.3.6.0.0
– 12.1.3.0.0
– 12.2.1.1.0
– 12.2.1.2.0

Vulnerability and Exploitation
The vulnerability is due to improper validation of serialized XML data by the WorkContextXmlInputAdapter class, this is part of the  WebLogic’s WLS Security component. A PoC is available online that can craft the XML request and execute a reverse shell payload on the target. A Metasploit module is also available to exploit this vulnerability. There are reports that this vulnerability is being exploited to mine Cryptocurrency.

Mitigation
Please apply the latest patches provided by Oracle. Customers can scan their network using QID 87313 to detect vulnerable machine.

Please continue to follow Qualys for information about this vulnerability

Reference
Oracle Critical Patch Update Advisory – October 2017
CVE-2017-10271
Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software
Campaign is using a recently released WebLogic exploit to deploy a Monero miner

Leave a Reply

Your email address will not be published. Required fields are marked *