Symptoms

When a malformed JSONRequest is sent in the X-OWA-UrlPostData in an Exchange Server 2013 or Exchange Server 2016 environment, Outlook Web Access error reporting may respond with a HTTP error 500 in OwaSerializationException. Additionally when you use a tool such as Fiddler or Burp Suite Scanner, you can obtain a callstack that resembles the following:

{"Body":{"ErrorCode":500,"ExceptionName":"OwaSerializationException","FaultMessage":"Cannot deserialize object of type FindConversationJsonRequest","IsTransient":false,"StackTrace":"Microsoft.Exchange.Clients.Owa2.Server.Core.OwaSerializationException: Cannot deserialize object of type FindConversationJsonRequest ---> System.Runtime.Serialization.SerializationException: Element ':root' contains data from a type that maps to the name 'http:\/\/schemas.contoso.com\/2004\/07\/Exchaasdadnge:FindConversationJsonRequest'.


Note This issue could be a vulnerability for an authenticated remote attacker to access sensitive information.

Cumulative update information

For Exchange Server 2013

To resolve this issue, install Cumulative Update 14 for Exchange Server 2013 or a later cumulative update for Exchange Server 2013.

For Exchange Server 2016

To resolve this issue, install Cumulative Update 3 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×