Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)

In October 2017 Oracle have published a vulnerability concerning Oracle WebLogic and assigned CVE-2017-10271 to it. Since then no public information regarding this vulnerability was available until a few days ago, when an analysis of the vulnerability and a Proof-of-Concept exploit were published.

The vulnerability stems from an unsafe XML deserialization using Java XMLDecoder in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic.

Attackers may send a crafted XML document to the aforementioned web service which will cause WebLogic to deserialize it and consequently allow an attacker to construct arbitrary Java objects and invoke their methods resulting in remote code execution.

Figure 1: Part of the request exploiting the vulnerability.

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this 0-day vulnerability, as the exploitation attempt will be detected by an existing Java code injection attack signature (200004174) which can be found in signature sets that include “Server Side Code Injection” attack type or “Java Servlets/JSP” System.

Figure 2: Exploitation attempt blocked by signature id 200004174.

We will be also releasing a dedicated signature in the upcoming ASM Security Update.

Published Dec 25, 2017
Version 1.0
ASM Advanced WAF
cve-2017-10271
remote code execution
security
weblogic

Was this article helpful?

5 Comments

Sort By
  • urocyongroup_30's avatar
    urocyongroup_30
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2018

    We download the last signature list and added this signature but the signature that blocks our test request is 200004336 "Oracle WebLogic WLS Security component Remote Code Execution" with Last Updated date 12/26/2017. I assume this is the adopted signature to mitigate this attack.

     

    It seems it only works for the default context root /wls-wsat/CoordinatorPortType , if we use and other context root with the same payload the signature is not triggert.

     

    Can we have the rule body of this signature so we can make a custom one that is more generic?

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jan 08, 2018

    Or how can we set up blocking of this sig only for a virtual server quickly? Obviously there is no time for the learning period and we don't want to touch any other traffic.

     

  • Cirrus's avatar
    Cirrus
    Icon for Cirrus rankCirrus
    Jan 10, 2018

    Also another option would be top update the weblogic in the background, wouldn't it? Oracle Support advised us to install the latest patch, which should fix this vulnerability

     

  • Cirrus's avatar
    Cirrus
    Icon for Cirrus rankCirrus
    Jan 18, 2018

    This attack signature is for the ASM module. And now your LTM Module should be not be affected, but your backend WebLogic Servers could be.