Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAEvdU_35sTnyFYsZKLeeW=V1G9P3mKWbvqNFV0q300x5E7GKow@mail.gmail.com>
Date: Tue, 10 Sep 2019 15:29:17 -0700
From: Jacopo Cappellato <jacopoc@...che.org>
To: "user@...iz.apache.org ML" <user@...iz.apache.org>, Dev list <dev@...iz.apache.org>, 
	security@...iz.apache.org, announce@...che.org, 
	oss-security@...ts.openwall.com, hizhangsword@...il.com, 
	security-reports@...mle.com
Subject: [CVE-2018-17200] Apache OFBiz unauthenticated remote code execution
 vulnerability in HttpEngine

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.05

Description:
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java)
handles requests for HTTP services via the /webtools/control/httpService
endpoint.  This service takes the `serviceContent` parameter in the request
and
 deserializes it using XStream. This `XStream` instance is slightly guarded
by
 disabling the creation of `ProcessBuilder`.  However, this can be easily
 bypassed (and in multiple ways).

Mitigation:
Upgrade to 16.11.06
or manually apply the following commits on branch 16
r1850017+1850019
----

Credit:
Man Yue Mo of the Semmle Security Research Team
张剑 <hizhangsword@...il.com>

References:
http://ofbiz.apache.org/download.html#vulnerabilities

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.