[CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments

Scott Gray-3
Hi everyone,

I was recently made aware of an attack on an OFBiz deployment using the
vulnerability described below.  The attackers were able to exploit the
xmlrpc endpoint to initiate a full export of the database.  Fortunately
this deployment had an extremely large database and the attempt set off a
number of alerts which enabled the attack to be halted before any harm was
done.  A smaller (or lightly monitored) OFBiz installation would probably
not have been so fortunate.

Just sharing this to let everyone know that this vulnerability is being
exploited in the wild and if you haven't taken steps to lock down this
endpoint then you should do so ASAP.  Please also share this warning with
anyone you know who might be affected but perhaps don't keep an eye on this
list.

https://issues.apache.org/jira/browse/OFBIZ-11716

Regards
Scott
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments

Jacques Le Roux
Administrator
Thanks for the warning Scott!

Security needs to be taken seriously before damages are done.

Jacques

Le 16/11/2020 à 20:08, Scott Gray a écrit :

> Hi everyone,
>
> I was recently made aware of an attack on an OFBiz deployment using the
> vulnerability described below.  The attackers were able to exploit the
> xmlrpc endpoint to initiate a full export of the database.  Fortunately
> this deployment had an extremely large database and the attempt set off a
> number of alerts which enabled the attack to be halted before any harm was
> done.  A smaller (or lightly monitored) OFBiz installation would probably
> not have been so fortunate.
>
> Just sharing this to let everyone know that this vulnerability is being
> exploited in the wild and if you haven't taken steps to lock down this
> endpoint then you should do so ASAP.  Please also share this warning with
> anyone you know who might be affected but perhaps don't keep an eye on this
> list.
>
> https://issues.apache.org/jira/browse/OFBIZ-11716
>
> Regards
> Scott