OWA error reporting responds with a HTTP error 500 in OwaSerializationException

Symptoms
When a malformed JSONRequest is sent in the X-OWA-UrlPostData in an Exchange Server 2013 or Exchange Server 2016 environment, Outlook Web Access error reporting may respond with a HTTP error 500 in OwaSerializationException. Additionally when you use a tool such as Fiddler or Burp Suite Scanner, you can obtain a callstack that resembles the following:
{"Body":{"ErrorCode":500,"ExceptionName":"OwaSerializationException","FaultMessage":"Cannot deserialize object of type FindConversationJsonRequest","IsTransient":false,"StackTrace":"Microsoft.Exchange.Clients.Owa2.Server.Core.OwaSerializationException: Cannot deserialize object of type FindConversationJsonRequest ---> System.Runtime.Serialization.SerializationException: Element ':root' contains data from a type that maps to the name 'http:\/\/schemas.contoso.com\/2004\/07\/Exchaasdadnge:FindConversationJsonRequest'.

Note This issue could be a vulnerability for an authenticated remote attacker to access sensitive information.

Cumulative update information

For Exchange Server 2013

To resolve this issue, install Cumulative Update 14 for Exchange Server 2013 or a later cumulative update for Exchange Server 2013.

For Exchange Server 2016

To resolve this issue, install Cumulative Update 3 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.

Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Özellikler

Makale No: 3176540 - Son İnceleme: 09/20/2016 15:28:00 - Düzeltme: 2.0

Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • kbqfe kbsurveynew kbfix kbexpertiseinter KB3176540
Geri bildirim