Summary
Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.
Product
Apache Ofbiz
Tested Version
17.12.01
Details
Unsafe deserialization of XMLRPC arguments
OfBiz exposes an XMLRPC endpoint at /webtools/control/xmlrpc. This is an unauthenticated endpoint since authentication is applied on a per-service basis. However, the XMLRPC request is processed before authentication. As part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands on any OfBiz server with same privileges as the servlet container running OfBiz.
Impact
This issue leads to pre-auth Remote Code Execution
CVE
- CVE-2020-9496
Coordinated Disclosure Timeline
- 04/13/2020: Report sent to vendor.
- 04/23/2020: OfBiz maintainer acknowledges the issue.
- 07/13/2020: Issue fixed Release note
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-069 in any communication regarding this issue.