<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2018-17200] Apache OFBiz unauthenticated remote code execution vulnerability in HttpEngine
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Jacopo Cappellato <jacopoc () apache org>
Date: Tue, 10 Sep 2019 15:29:17 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity:
Important
Vendor:
The Apache Software Foundation
Versions Affected:
OFBiz 16.11.01 to 16.11.05
Description:
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java)
handles requests for HTTP services via the /webtools/control/httpService
endpoint. This service takes the `serviceContent` parameter in the request
and
deserializes it using XStream. This `XStream` instance is slightly guarded
by
disabling the creation of `ProcessBuilder`. However, this can be easily
bypassed (and in multiple ways).
Mitigation:
Upgrade to 16.11.06
or manually apply the following commits on branch 16
r1850017+1850019
----
Credit:
Man Yue Mo of the Semmle Security Research Team
张剑 <hizhangsword () gmail com>
References:
http://ofbiz.apache.org/download.html#vulnerabilities
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2018-17200] Apache OFBiz unauthenticated remote code execution vulnerability in HttpEngine Jacopo Cappellato (Sep 10)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->