A vulnerability was found in Apache OFBiz up to 16.11.05 and classified as critical. This issue affects the function deserialize of the file webtools/control/httpService of the component XmlSerializer. The manipulation of the argument serviceContext as part of a Parameter leads to a deserialization vulnerability. Using CWE to declare the problem leads to CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16

The weakness was disclosed 09/11/2019 (Website). It is possible to read the advisory at s.apache.org. The identification of this vulnerability is CVE-2019-0189 since 11/14/2018. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 16.11.06 eliminates this vulnerability.

The entries 141649, 141648 and 141646 are pretty similar.

Productinfo

Vendor

• Apache

Name

• OFBiz

Version

• 16.11.05

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion