[jira] [Updated] (OFBIZ-12646) Java Deserialization vulnerability in Apache OfBiz

Sat, 03 Sep 2022 06:12:06 -0700 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-12646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-12646:
------------------------------------
    Description: 
During a security assessment the following vulnerability was been found on 
Apache OfBiz by Matei "Mal" Badanoiu

It's a Java Deserialization via RMI Connection:
The OfBiz Solr plugin is configured by default to automatically make a RMI 
request on localhost, port 1099. 
By hosting a malicious RMI server on localhost, an attacker may exploit this 
behavior, at server start-up or on a server restart, in order to run arbitrary 
code as the user that started OfBiz and potentially elevate his/her privileges.

We (security team) want to Note that this exploit can only be done on a shared 
server

  was:
The "internal logging" accessbile in Solr admin page works well. It's 
sufficient to give the more important info. This was lastly done by OFBIZ-6858.

While working on Solr 9.0.0 I needed the "external logging" (solr.log file) 
with the possibility to see what's happen before you get to the Solr admin 
page. There is already some more information in console but not what I really 
need.

Currently OFBizSolrContextFilter class uses system properties to handle 
logging. I don't know if it has ever worked but clearly now env var are needed:
https://solr.apache.org/guide/7_4/configuring-logging.html#permanent-logging-settings
notably SOLR_LOGS_DIR. This could be useful too 
https://solr.apache.org/guide/7_4/taking-solr-to-production.html#log-settings 
(LOG4J_PROPS)

An alternative is toset Sorl logging in standard OFBiz log4j2.xml.
I'm not sure we need to specify the path for Solr. If so a solution could be to 
follow 
https://logging.apache.org/log4j/2.x/manual/configuration.html#Composite_Configuration
 by using the LOG4J_CONFIGURATION_FILE env var.



> Java Deserialization vulnerability in Apache OfBiz
> --------------------------------------------------
>
>                 Key: OFBIZ-12646
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12646
>             Project: OFBiz
>          Issue Type: Bug
>          Components: solr
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> During a security assessment the following vulnerability was been found on 
> Apache OfBiz by Matei "Mal" Badanoiu
> It's a Java Deserialization via RMI Connection:
> The OfBiz Solr plugin is configured by default to automatically make a RMI 
> request on localhost, port 1099. 
> By hosting a malicious RMI server on localhost, an attacker may exploit this 
> behavior, at server start-up or on a server restart, in order to run 
> arbitrary code as the user that started OfBiz and potentially elevate his/her 
> privileges.
> We (security team) want to Note that this exploit can only be done on a 
> shared server



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to