[jira] (OFBIZ-12646) Java Deserialization vulnerability in Apache OfBiz (CVE-2022-29063)

Sat, 03 Sep 2022 06:13:06 -0700 


    [ https://issues.apache.org/jira/browse/OFBIZ-12646 ]


    Jacques Le Roux deleted comment on OFBIZ-12646:
    -----------------------------------------

was (Author: jira-bot):
Commit 67cbf35e83068fcecc86af6a66ea2043e71ff544 in ofbiz-plugins's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=67cbf35e8 ]

Improved: Sorl external logging is not working, but a bit in console 
(OFBIZ-12646)

After removing useless system properties used to handle logging in
OFBizSolrContextFilter.java with commit 102eb511531d64c131ed78fe536fc2857b7eb4b1
that had a wrong commit title
<<Improved: Unable to upload a file through ecommerce (OFBIZ 12636)>>
and message that should have been:
<<Remove useless system properties used to handle logging. Maybe previously this
was working but it was then long ago.

Also speeds things a bit while loading Solr by using the not so obvious
SOLRHOME_ATTRIBUTE servlet attribute rather than the "solr/home" system property

Note: this is a 1st cleaning step and we are still missing external logging>>

I forgot to remove the related properties in solrconfig.properties, this does it


> Java Deserialization vulnerability in Apache OfBiz (CVE-2022-29063)
> -------------------------------------------------------------------
>
>                 Key: OFBIZ-12646
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12646
>             Project: OFBiz
>          Issue Type: Bug
>          Components: solr
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> During a security assessment the following vulnerability was been found on 
> Apache OfBiz by Matei "Mal" Badanoiu
> It's a Java Deserialization via RMI Connection:
> The OfBiz Solr plugin is configured by default to automatically make a RMI 
> request on localhost, port 1099. 
> By hosting a malicious RMI server on localhost, an attacker may exploit this 
> behavior, at server start-up or on a server restart, in order to run 
> arbitrary code as the user that started OfBiz and potentially elevate his/her 
> privileges.
> We (security team) want to Note that this exploit can only be done on a 
> shared server



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to