[
https://issues.apache.org/jira/browse/OFBIZ-12646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600208#comment-17600208
]
ASF subversion and git services commented on OFBIZ-12646:
---------------------------------------------------------
Commit 8281ec59b22b91c3c3c85e0af49473ee82a4a992 in ofbiz-site's branch
refs/heads/master from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-site.git;h=8281ec5 ]
Adds OFBIZ-12646 to release-notes-18.12.06.php (missed link)
> Java Deserialization vulnerability in Apache OfBiz (CVE-2022-29063)
> -------------------------------------------------------------------
>
> Key: OFBIZ-12646
> URL: https://issues.apache.org/jira/browse/OFBIZ-12646
> Project: OFBiz
> Issue Type: Sub-task
> Components: solr
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.06, 22.01.01
>
>
> The following vulnerability has been found by Matei "Mal" Badanoiu. It's a
> Java Deserialization via RMI Connection.
> The OfBiz Solr plugin is configured by default to automatically make a RMI
> request on localhost, port 1099.
> By hosting a malicious RMI server on localhost, an attacker may exploit this
> behavior, at server start-up or on a server restart, in order to run
> arbitrary code as the user that started OfBiz and potentially elevate his/her
> privileges.
> We (security team) want to Note that this exploit can only be done on a
> shared server. That's why it's of low severity.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
