Oracle Weblogic WLS-WSAT Component Deserialization RCE
Description
The Oracle WebLogic Server WLS-WSAT component (versions 12.2.1.2.0 and earlier) contains a critical XML deserialization vulnerability that allows remote code execution. The vulnerability exists in the WorkContextXmlInputAdapter class, which unsafely deserializes XML input using the XMLDecoder constructor. Attackers can exploit this flaw by sending specially crafted XML payloads to the vulnerable endpoint, causing the server to deserialize and execute arbitrary Java objects without requiring authentication.
Remediation
Apply the Oracle Critical Patch Update (CPU) for October 2017 immediately to remediate CVE-2017-10271 and CVE-2017-3506. Follow these steps:
1. Download the appropriate patch from Oracle Support (My Oracle Support Document 2817011.1)
2. Review the patch documentation and test in a non-production environment first
3. Schedule a maintenance window and create a complete system backup
4. Apply the patch following Oracle's installation instructions for your specific WebLogic version
5. Restart the WebLogic Server and verify the patch installation
6. Confirm the WLS-WSAT component is properly secured or disabled if not required
As a temporary mitigation until patching is complete, consider restricting network access to the WebLogic Server administration ports and disabling the WLS-WSAT component if it is not business-critical. Implement network segmentation and monitoring to detect exploitation attempts.