Oracle has addressed several WebLogic Server vulnerabilities this Patch Tuesday. In this post we will discuss one of the critical vulnerbilities, CVE-2018-3246. It’s an XML External Entity (XXE) vulnerability that affects Oracle WebLogic Server versions 22.214.171.124, and 126.96.36.199.
The vulnerability exists in a component that allows users to upload configuration files in an XML format. The server throws an error when a malformed XML is submitted.
Let’s create a simple file upload form and submit the request to WebLogic server:
Let’s capture this request in BurpSuite. The server response confirms that it indeed tried to connect to attacking IP over port 443:
and we now have a connection from WebLogic server on our attacking IP:
An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary commands on the system. Customers are advised to scan their network for QID#87368 and QID#371264 to find vulnerable WebLogic Servers and apply appropriate patches.