CVE-2017-10271
Published: 19 October 2017
Summary
CVE-2017-10271 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Weblogic Server. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2017-10271 is a vulnerability in the WLS Security subcomponent of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, and 12.2.1.2.0. The flaw is remotely exploitable over the T3 protocol without authentication and carries a CVSS 3.0 base score of 7.5 with an impact limited to availability.
An unauthenticated attacker with network access can exploit the issue to achieve takeover of the Oracle WebLogic Server instance. The attack requires no user interaction and succeeds due to missing authentication enforcement in the affected security component.
Oracle's October 2017 Critical Patch Update addresses the vulnerability through official patches for the listed versions. Public references, including exploit code on GitHub and Exploit-DB, confirm that working proof-of-concept implementations have been released.
The issue is tracked under CWE-306 and was published with references to SecurityFocus and SecurityTracker entries that point to the same Oracle advisory for remediation details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-1918
Vulnerability details
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic…
more
Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
- CWE(s)
- KEV Date Added
- 10 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements on T3 interfaces, blocking the unauthenticated remote access that enables server takeover in CVE-2017-10271.
Mandates identification and authentication of all users before granting access to WebLogic security functions, directly mitigating the missing-authentication flaw (CWE-306).
Requires timely application of the October 2017 Critical Patch Update that Oracle released specifically to correct the WLS Security authentication bypass.