August 12, 2020

GHSL-2020-069: Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496

Alvaro Muñoz

Summary

Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.

Product

Apache Ofbiz

Tested Version

17.12.01

Details

Unsafe deserialization of XMLRPC arguments

OfBiz exposes an XMLRPC endpoint at /webtools/control/xmlrpc. This is an unauthenticated endpoint since authentication is applied on a per-service basis. However, the XMLRPC request is processed before authentication. As part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands on any OfBiz server with same privileges as the servlet container running OfBiz.

Impact

This issue leads to pre-auth Remote Code Execution

CVE

  • CVE-2020-9496

Coordinated Disclosure Timeline

  • 04/13/2020: Report sent to vendor.
  • 04/23/2020: OfBiz maintainer acknowledges the issue.
  • 07/13/2020: Issue fixed Release note

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-069 in any communication regarding this issue.