Description

The Oracle WebLogic WLS-WSAT Component (versions 12.2.1.2.0 and prior) is vulnerable to a XML Deserialization remote code execution vulnerability. Malicious input passed to the XMLDecoder constructor and read functions within the WorkContextXmlInputAdapter class result in the deserialization of an arbitrary Java serialized object. Unauthenticated attackers can exploit it to remotely execute arbitrary code.

Remediation

Oracle released a Critical Patch Update that fixes this issue. To fix this vulnerability it's recommended to install the Oracle Critical Patch Update from the References section.

References

Oracle Critical Patch Update Advisory - October 2017

CVE-2017-10271 Detail

CVE-2017-3506 Detail

Related Vulnerabilities

Telerik Web UI Unrestricted File Upload (CVE-2017-11317)

WordPress Plugin All in One SEO-Best WordPress SEO-Easily Improve SEO Rankings & Increase Traffic Remote Code Execution (4.1.0.1)

XWikiplatform Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2024-37899)

VMware Workspace ONE Access SSTI (CVE-2022-22954)

PHP unserialize() used on user input

Severity

High

Classification

CVE-2017-3506 CVE-2017-10271 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor Insecure Deserialization