Symptoms
When a malformed JSONRequest is sent in the X-OWA-UrlPostData in an Exchange Server 2013 or Exchange Server 2016 environment, Outlook Web Access error reporting may respond with a HTTP error 500 in OwaSerializationException. Additionally when you use a tool such as Fiddler or Burp Suite Scanner, you can obtain a callstack that resembles the following:
{"Body":{"ErrorCode":500,"ExceptionName":"OwaSerializationException","FaultMessage":"Cannot deserialize object of type FindConversationJsonRequest","IsTransient":false,"StackTrace":"Microsoft.Exchange.Clients.Owa2.Server.Core.OwaSerializationException: Cannot deserialize object of type FindConversationJsonRequest ---> System.Runtime.Serialization.SerializationException: Element ':root' contains data from a type that maps to the name 'http:\/\/schemas.contoso.com\/2004\/07\/Exchaasdadnge:FindConversationJsonRequest'.
Note This issue could be a vulnerability for an authenticated remote attacker to access sensitive information.
Cumulative update information
For Exchange Server 2013
To resolve this issue, install Cumulative Update 14 for Exchange Server 2013 or a later cumulative update for Exchange Server 2013.
For Exchange Server 2016
To resolve this issue, install Cumulative Update 3 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
