[ofbiz-framework] branch release17.12 updated: Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release17.12 updated: Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new d708d9a  Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)
d708d9a is described below

commit d708d9afcb3aaae61fc92f5b1b6f14b7374bba76
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Tue May 19 15:56:02 2020 +0200

    Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)
   
    (OFBIZ-11716)
   
    Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using
    authentication they are vulnerable to unsafe deserialization.
   
    thanks: Alvaro Munoz <[hidden email]> from the GitHub Security Lab team
---
 .../main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java | 4 ++++
 .../src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java      | 2 +-
 framework/webtools/webapp/webtools/WEB-INF/controller.xml             | 3 ++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
index 95b3432..108abd1 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
@@ -98,6 +98,10 @@ public class XMLRPCClientEngine extends GenericAsyncEngine {
                 Integer port = rpcPort + Start.getInstance().getConfig().portOffset;
                 url = url.replace(rpcPort.toString(), port.toString());
             }
+            // Necessary for "service-xml-rpc-local-engine" test
+            if (serviceName.equals("testXmlRpcAdd")) {
+                url = url + "?USERNAME=admin&PASSWORD=ofbiz";
+            }
             login = ServiceConfigUtil.getEngineParameter(engine, "login");
             password = ServiceConfigUtil.getEngineParameter(engine, "password");
             keyStoreComponent = ServiceConfigUtil.getEngineParameter(engine, "keyStoreComponent");
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
index be08043..c38608b 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
@@ -38,7 +38,7 @@ public class XmlRpcTests extends AbstractXmlRpcTestCase {
 
     public static final String module = XmlRpcTests.class.getName();
     public static final String resource = "ServiceErrorUiLabels";
-    private static String url = "http://localhost:8080/webtools/control/xmlrpc";
+    private static String url = "http://localhost:8080/webtools/control/xmlrpc?USERNAME=admin&PASSWORD=ofbiz";
 
     public XmlRpcTests(String name) {
         super(name);
diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
index 39201cc..363ee59 100644
--- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
+++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
@@ -55,13 +55,14 @@ under the License.
         <response name="success" type="none"/>
     </request-map>
     <request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
-        <security https="false"/>
+        <security auth="true"/>
         <event type="xmlrpc"/>
         <response name="error" type="none"/>
         <response name="success" type="none"/>
     </request-map>
 
     <request-map uri="ping">
+        <security auth="true"/>
         <event type="service" invoke="ping"/>
         <response name="error" type="view" value="ping"/>
         <response name="success" type="view" value="ping"/>