Alert Logic® is actively researching an exploit disclosed by Oracle in October 2017 – CVE-2017-10271. This exploit, which is a critical Java deserialization vulnerability in WebLogic’s ‘WLS Security’ subcomponent, was the result of an incomplete patch for CVE-2017-3506 – a similar vulnerability. Oracle has already made a patch available for CVE-2017-10271, and a proof of concept was released on December 23, 2017.
This vulnerability in Oracle WebLogic’s ‘WLS-WSAT’ subcomponent consists of an XML exploitation, whereby an attacker sends crafted XML payloads, which can result in remote code execution (RCE). This may lead to complete compromise of the server. Users of vulnerable, public-facing versions of WebLogic are at risk for exploitation of this threat.
For more information and technical details about this exploit, refer to our Beware the WebLogic WLS-WSAT Component Deserialization RCE Exploit blog post.
Alert Logic Coverage
Alert Logic Web Security Manager™ and Web Security Manager Premier™ detect this vulnerability. If Web Security Manager Premier is in Protect mode, this vulnerability is blocked.
In addition, Alert Logic Threat Manager™ has signatures in place to detect exploits of CVE-2017-10271 and CVE-2017-3506, and the Security Operations Center is actively monitoring these signatures to generate incidents for any suspected successful exploit.
Alert Logic has also developed vulnerability scan coverage to identify vulnerable assets through Alert Logic Cloud Defender®, Threat Manager, and Cloud Insight™.
Due to the nature of this exploit, Alert Logic Log Manager™ is not an effective method of detecting exploits of these vulnerabilities.
Recommendations for Mitigation
WebLogic versions 10.3.6.0.0, 184.108.40.206.0, 220.127.116.11.0, and 18.104.22.168.0 are vulnerable to CVE-2017-10271 and CVE-2017-3506. If you are using any of the above versions, it is recommended that you apply the latest patches from the Oracle website below as soon as possible. These patches are available on Oracle’s website.