CVE-2017-3506

What Is Oracle WebLogic Server?

Oracle WebLogic Server is the leading Java EE/Jakarta EE application server for enterprise deployments, used extensively in banking, financial services, government, and large enterprise environments to run mission-critical Java applications. WebLogic's WLS-WSAT (Web Services Atomic Transaction) component implements the WS-AtomicTransaction web services protocol. Because WebLogic servers often sit adjacent to core enterprise databases and business application logic, unauthenticated RCE on WebLogic gives attackers immediate access to sensitive business data and the ability to pivot to connected Oracle database servers.

Overview

CVE-2017-3506 is a vulnerability in the Oracle WebLogic Server WLS-WSAT component allowing an unauthenticated attacker to execute OS commands via a specially crafted HTTP request containing a malicious XML document. The WLS-WSAT endpoint processes XML using a deserializer that can be manipulated to invoke arbitrary Java objects and execute system commands. Patched in Oracle's April 2017 Critical Patch Update. The patch was later partially bypassed by CVE-2017-10271 (October 2017) — both CVEs exploit the same WLS-WSAT attack surface. CISA added CVE-2017-3506 to the KEV catalog in June 2024 reflecting continued WebLogic exploitation.

Affected Versions

Note: Systems patched for CVE-2017-3506 but not CVE-2017-10271 (October 2017 CPU) remain vulnerable to the related bypass.

Technical Details

Root Cause: XML Deserialization in WLS-WSAT Component

CVE-2017-3506 exploits Oracle WebLogic's WLS-WSAT (Web Services Atomic Transaction) component, accessible at /wls-wsat/CoordinatorPortType and related endpoints. The component parses incoming SOAP/XML requests as part of the WS-AtomicTransaction protocol implementation. A specially crafted XML payload — containing a malicious work:WorkContext element with embedded Java deserialization gadget chains — causes WebLogic to deserialize attacker-controlled objects and execute OS commands.

CVE-2017-3506 vs CVE-2017-10271: Oracle's April 2017 patch for CVE-2017-3506 blocked the specific XML element used in that attack. Researchers discovered that a different XML element (<void> instead of <object>) could achieve the same deserialization result — this bypass became CVE-2017-10271 (patched October 2017). Both vulnerabilities affect the same WLS-WSAT endpoint.

High complexity (AC:H) context: The CVSS AC:H rating reflects that specific server configuration or timing conditions may affect reliable exploitation — the practical impact is broadly considered equivalent to AC:L in most real-world deployments.

Attack Characteristics

Discovery

Discovered by security researchers and reported to Oracle; patched in the April 2017 CPU. The WLS-WSAT attack surface continued to yield related bypasses (CVE-2017-10271) after the initial patch.

Exploitation Context

• Mass cryptomining campaigns: Both CVE-2017-3506 and its bypass CVE-2017-10271 were heavily exploited for Monero cryptomining within days of public PoC release; automated mass scanning targeted exposed WebLogic ports (7001, 7002, 443) globally
• Chinese threat actors: Multiple Chinese APT groups have specifically targeted Oracle WebLogic vulnerabilities for initial access to enterprise environments; KEV addition in 2024 reflects continued active exploitation
• WLS-WSAT as persistent attack surface: The same WLS-WSAT endpoint has been exploited in multiple CVEs (2017-3506, 2017-10271, 2019-2725, 2020-14882); organizations that deploy WebLogic should specifically restrict or disable this component if not required
• Oracle CPU patching delays: Oracle's quarterly patch cycle means WebLogic vulnerabilities may be unpatched for 60-90 days; many organizations further delay CPU application due to enterprise Java application compatibility concerns
• CISA KEV (2024): Added June 3, 2024 reflecting confirmed active exploitation by threat actors targeting WebLogic infrastructure

Remediation

1. Apply Oracle CPU patches — apply the April 2017 CPU for CVE-2017-3506 AND the October 2017 CPU for CVE-2017-10271; both patches are required to address the full WLS-WSAT attack surface. Also apply all subsequent Oracle CPUs.

2. Disable WLS-WSAT if not required — if WS-AtomicTransaction is not used by deployed applications, disable or uninstall the WLS-WSAT component entirely; this eliminates the entire endpoint attack surface. Delete or undeploy wls-wsat.war from the WebLogic domain.

3. Restrict access to WebLogic admin and managed server ports — WebLogic ports (7001, 7002) should not be internet-accessible; restrict access via firewall to application server networks only.

4. Monitor for WLS-WSAT exploit patterns — alert on HTTP POST requests to /wls-wsat/ endpoints containing XML payloads with <object>, <void>, or <array> elements with class attributes; these are the indicators of CVE-2017-3506 and CVE-2017-10271 exploitation attempts.

5. Implement Oracle WebLogic security hardening — follow Oracle's WebLogic hardening guide: disable unnecessary components, restrict the domain configuration to required ports and services only, and apply connection filters.