Apache OFBiz - Unauth Stored XSS (CVE-2022-25370)
Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The Birt viewer version 4.5.0 has a security issue that allows this exploit. We waited long for https://github.com/eclipse/birt/issues/625 to resolve but eventually decided to release OFBiz 18.12.06 without the Birt component Mitigation: Upgrade to at least 18.12.06 Credit: npodoty...@ptsecurity.com References: http://ofbiz.apache.org/download.html#vulnerabilities
Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371)
Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The Birt viewer version 4.5.0 has a security issue that allows this exploit. We waited long for https://github.com/eclipse/birt/issues/625 to resolve but eventually decided to release OFBiz 18.12.06 without the Birt component Mitigation: Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-... Credit: npodoty...@ptsecurity.com References: http://ofbiz.apache.org/download.html#vulnerabilities
Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371)
Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The Birt viewer version 4.5.0 has a security issue that allows this exploit. We waited long for https://github.com/eclipse/birt/issues/625 to resolve but eventually decided to release OFBiz 18.12.06 without the Birt component Mitigation: Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-... Credit: npodoty...@ptsecurity.com References: http://ofbiz.apache.org/download.html#vulnerabilities
Apache OFBiz - Java Deserialization via RMI Connection (CVE-2022-29063)
Severity: Low (only on shared servers) Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The OFBiz Solr plugin is configured by default to automatically make a RMI request on localhost, port 1099. By hosting a malicious RMI server on localhost, an attacker may exploit this behavior Mitigation: Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646 Credit: Matei "Mal" Badanoiu References: http://ofbiz.apache.org/download.html#vulnerabilities
Apache OFBiz - Regular Expression Denial of Service (ReDoS) [CVE-2022-29158]
Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Mitigation: Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599 Credit: Tony Torralba and Joseph Farebrother from the GitHub CodeQL team References: http://ofbiz.apache.org/download.html#vulnerabilities
Subject: Apache OFBiz - Server-Side Template Injection (CVE-2022-25813)
Severity: High (SSTI then possible RCE) Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: As an ecommerce anonymous client, an external attacker can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible. Mitigation: Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12594 Credit: Matei "Mal" Badanoiu References: http://ofbiz.apache.org/download.html#vulnerabilities
[ANNOUNCE] Apache OFBiz 18.12 End-Of-Life (EOL) announcement
The Apache OFBiz Project Team would like to inform you that OFBiz 18.12.06 is the last release of the 18.12 branch, which has reached its end of life and won't be longer officially supported. https://ofbiz.apache.org/release-notes-18.12.06.html This announcement takes place on 2022-09-02 and starting from today we will only support Apache OFBiz 18.12.06 in case of security vulnerabilities. Questions and Answers: With the announcement of OFBiz 18.12.06 EOL, what happens to OFBiz 18.12.06 resources? All resources will stay where they are. The documentation will still be accessible from the Apache OFBiz homepage[1], as well as the downloads for last released OFBiz versions[2]. All of the OFBiz 18.12.06 source code can be found in the Apache OFBiz Git repository under branch release18.12, now and in future. This concerns the framework[3] and the plugins[4]. [1] https://ofbiz.apache.org/ [2] https://downloads.apache.org/ofbiz [3] https://github.com/apache/ofbiz-framework [4] https://github.com/apache/ofbiz-plugins Is there an immediate need to upgrade from OFBiz 18.12.06 in my projects? If you are using a release between 18.12.01 and 18.12.05 you should immediately upgrade to 18.12.06, because there are several vulnerabilities present in all OFBiz releases before 18.12.06. As today, there aren't known vulnerabilities affecting OFBiz 18.12.06; however, considering that the 18.12.06 is the last release in this branch, you should plan to migrate to the 18.12.06 as soon as possible. My friends / colleagues and I would like to see OFBiz 18.12.06 being continuously maintained. What can we do? You may fork the existing source and support it on your own. Kind regards - The Apache OFBiz Team
[ANNOUNCE] Apache OFBiz 18.12.06 released
The Apache OFBiz community is pleased to announce the new release "Apache OFBiz 18.12.06". Apache OFBiz® is an open source product for the automation of enterprise processes that includes framework components and business applications. http://ofbiz.apache.org/ "Apache OFBiz 18.12.06" is the sixth and final release of the 18.12 series. For details of the changes introduced with this new version please refer to http://ofbiz.apache.org/release-notes-18.12.06.html The history of security related fixes included in each release is available here: https://ofbiz.apache.org/security.html The release files can be downloaded following the instructions in the OFBiz download page: http://ofbiz.apache.org/download.html
[VOTE] [RESULT]Apache OFBiz 18.12.06
The vote to release Apache OFBiz 18.12.06 is successful with 8 positive votes (of which 6 are binding) and no negative ones. Thank you all for voting. I am going to proceed with the steps to publish the release. Jacopo On Thu, Aug 25, 2022 at 10:10 AM Jacopo Cappellato < jacopo.cappell...@gmail.com> wrote: > This is the vote thread to publish "Apache OFBiz 18.12.06", the sixth and > final release from the release18.12 branch. > > The release files can be downloaded from here: > https://dist.apache.org/repos/dist/dev/ofbiz/ > and are: > * apache-ofbiz-18.12.06.zip > * KEYS: text file with keys > * apache-ofbiz-18.12.06.zip.asc: the detached signature file > * apache-ofbiz-18.12.06.zip.sha512: checksum file > > Please download and test the zip file and its signatures (for instructions > on testing the signatures see http://www.apache.org/info/verification.html > ). > > Vote: > [ +1] release as Apache OFBiz 18.12.06 > [ -1] do not release > > This vote is open for 5 days. > > For more details about this process please refer to > http://www.apache.org/foundation/voting.html > >
Re: [VOTE] Apache OFBiz 18.12.06
+1 Jacopo On Thu, Aug 25, 2022 at 10:10 AM Jacopo Cappellato < jacopo.cappell...@gmail.com> wrote: > This is the vote thread to publish "Apache OFBiz 18.12.06", the sixth and > final release from the release18.12 branch. > > The release files can be downloaded from here: > https://dist.apache.org/repos/dist/dev/ofbiz/ > and are: > * apache-ofbiz-18.12.06.zip > * KEYS: text file with keys > * apache-ofbiz-18.12.06.zip.asc: the detached signature file > * apache-ofbiz-18.12.06.zip.sha512: checksum file > > Please download and test the zip file and its signatures (for instructions > on testing the signatures see http://www.apache.org/info/verification.html > ). > > Vote: > [ +1] release as Apache OFBiz 18.12.06 > [ -1] do not release > > This vote is open for 5 days. > > For more details about this process please refer to > http://www.apache.org/foundation/voting.html > >