NetScaler does not have a built-in signature to protect applications from "Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-10271)" currently.
NetScaler does not have a built-in signature to protect applications from this CVE-2017-10271 currently.
The vulnerability stems from an unsafe XML deserialization using Java XMLDecoder in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic.Based on python executable used to trigger this attack and pattern found, you can use the following custom signature to block CVE-2017-10271:
root@Primary# cat blog_profile | grep -A5 -B5 1000000 <Reference>cve,2006-5478</Reference> </Signatures> <SignatureRule id="1000000" enabled="ON" actions="block,log" category="web-misc" source="" severity="" type="" version="1" sourceid="" harmscore=""><PatternList><RequestPatterns><Pattern><Location area="HTTP_URL"/><Match type="Literal">/wls-wsat/CoordinatorPortType</Match></Pattern><Pattern><Location area="HTTP_METHOD"/><Match type="Literal">POST</Match></Pattern><Pattern><Location area="HTTP_POST_BODY"/><Match type="Literal">java.beans.XMLDecoder</Match></Pattern></RequestPatterns></PatternList><LogString>Let's Protect you against CVE-2017-10271</LogString><Comment/></SignatureRule> </Signatures>
puneets-MacBook-Pro:~ puneetseth$ curl -X POST "http://10.107.98.108/wls-wsat/CoordinatorPortType" -d @XMLDecoder -v3 Note: Unnecessary use of -X or --request, POST is already inferred. * Trying 10.107.98.108... * TCP_NODELAY set * Connected to 10.107.98.108 (10.107.98.108) port 80 (#0) > POST /wls-wsat/CoordinatorPortType HTTP/1.1 > Host: 10.107.98.108 > User-Agent: curl/7.54.0 > Accept: */* > Content-Length: 739 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 739 out of 739 bytes * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Pragma: no-cache < Content-Length: 674 < Cneonction: close * HTTP/1.0 connection set to keep alive! < Connection: Keep-Alive < <html> <head> <title>Application Firewall Block Page</title> </head> <body> <h1><B>Your request has been blocked by a security policy<B><BR></H1> <H3>Access has been blocked - if you feel this is in error, please contact the site administrators quoting the following: </H3> <UL> <li>NS Transaction ID: 410008-PPE0 <li>AppFW Session ID: yDlRvWPdInFPzLxtFg8L5BnIoys0000 <li>Violation Category: APPFW_SIGNATURE_MATCH <li>Violation Details: 10.150.16.22 410008-PPE0 yDlRvWPdInFPzLxtFg8L5BnIoys0000 csrfandcookie http://10.107.98.108/wls-wsat/CoordinatorPortType Signature violation rule ID 1000000: let's protect you against cve-2017-10271 <blocked> </UL> </body>