[
https://issues.apache.org/jira/browse/OFBIZ-12646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12646:
------------------------------------
Summary: Java Deserialization vulnerability in Apache OfBiz
(CVE-2022-29063) (was: Java Deserialization vulnerability in Apache OfBiz)
> Java Deserialization vulnerability in Apache OfBiz (CVE-2022-29063)
> -------------------------------------------------------------------
>
> Key: OFBIZ-12646
> URL: https://issues.apache.org/jira/browse/OFBIZ-12646
> Project: OFBiz
> Issue Type: Bug
> Components: solr
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> During a security assessment the following vulnerability was been found on
> Apache OfBiz by Matei "Mal" Badanoiu
> It's a Java Deserialization via RMI Connection:
> The OfBiz Solr plugin is configured by default to automatically make a RMI
> request on localhost, port 1099.
> By hosting a malicious RMI server on localhost, an attacker may exploit this
> behavior, at server start-up or on a server restart, in order to run
> arbitrary code as the user that started OfBiz and potentially elevate his/her
> privileges.
> We (security team) want to Note that this exploit can only be done on a
> shared server
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
