OWA error reporting responds with a HTTP error 500 in OwaSerializationException

Symptoms

When a malformed JSONRequest is sent in the X-OWA-UrlPostData in an Exchange Server 2013 or Exchange Server 2016 environment, Outlook Web Access error reporting may respond with a HTTP error 500 in OwaSerializationException. Additionally when you use a tool such as Fiddler or Burp Suite Scanner, you can obtain a callstack that resembles the following:
{"Body":{"ErrorCode":500,"ExceptionName":"OwaSerializationException","FaultMessage":"Cannot deserialize object of type FindConversationJsonRequest","IsTransient":false,"StackTrace":"Microsoft.Exchange.Clients.Owa2.Server.Core.OwaSerializationException: Cannot deserialize object of type FindConversationJsonRequest ---> System.Runtime.Serialization.SerializationException: Element ':root' contains data from a type that maps to the name 'http:\/\/schemas.contoso.com\/2004\/07\/Exchaasdadnge:FindConversationJsonRequest'.

Note This issue could be a vulnerability for an authenticated remote attacker to access sensitive information.

Cumulative update information

For Exchange Server 2013

To resolve this issue, install Cumulative Update 14 for Exchange Server 2013 or a later cumulative update for Exchange Server 2013.

For Exchange Server 2016

To resolve this issue, install Cumulative Update 3 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

Third-party information disclaimer
Properties

Article ID: 3176540 - Last Review: Sep 20, 2016 - Revision: 1

Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard Edition

Feedback