CVE-2017-10271
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5Description
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Analysis
Oracle WebLogic Server allows unauthenticated remote code execution through the WLS Security component's T3 protocol, massively exploited for cryptocurrency mining and botnet recruitment from 2017 onward.
Technical Context
The CWE-306 missing authentication vulnerability in WebLogic's T3 protocol handler allows unauthenticated attackers to send crafted XML payloads containing XMLDecoder deserialization gadgets. The server processes the untrusted XML, leading to arbitrary command execution as the WebLogic service account.
Affected Products
['Oracle WebLogic Server 10.3.6.0.0', 'Oracle WebLogic Server 12.1.3.0.0', 'Oracle WebLogic Server 12.2.1.1.0', 'Oracle WebLogic Server 12.2.1.2.0']
Remediation
Apply Oracle Critical Patch Update. Restrict T3 protocol access via network filtering. Deploy WebLogic's T3 connection filter to limit access to trusted hosts only. Disable XMLDecoder-based deserialization.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today