Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.
Unsafe deserialization of XMLRPC arguments
OfBiz exposes an
XMLRPC endpoint at
/webtools/control/xmlrpc. This is an unauthenticated endpoint since authentication is applied on a per-service basis. However, the
XMLRPC request is processed before authentication. As part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands on any OfBiz server with same privileges as the servlet container running OfBiz.
This issue leads to pre-auth
Remote Code Execution
Coordinated Disclosure Timeline
- 04/13/2020: Report sent to vendor.
- 04/23/2020: OfBiz maintainer acknowledges the issue.
- 07/13/2020: Issue fixed Release note
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-069 in any communication regarding this issue.