This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push: new 9c16989 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) 9c16989 is described below commit 9c1698917aa8f5d0fd88f242b2481cb15e3334ce Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri Oct 8 19:13:20 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) As reported by Jie Zhu: <<The latest version of the OFBiz framework (17.12.08) is affected by an XMLRPC Remote Code Execution Vulnerability. This vulnerability is caused by incomplete patch repair of cve-2020-9496.>> Actually this is not an OFBiz bug (so not related to CVE-2020-9496) but an old XMLRPC bug (Archiva was(/is?)) also affected: https://nvd.nist.gov/vuln/detail/CVE-2016-5003 Unfortunately XMLRPC is no longer maintained, so it's OFBiz responsibility to fix this bug. As the code that secures serialisation in OFBiz is not reached by this bug, the solution is to secure it at the ContextFilter class level (ie before it reaches secured serialisation in OFBiz source). Thanks: Jie Zhu for report and help. --- .../main/java/org/apache/ofbiz/webapp/control/ContextFilter.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java index 69f89b1..6f3de70 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java @@ -20,6 +20,7 @@ package org.apache.ofbiz.webapp.control; import java.io.IOException; import java.util.Enumeration; +import java.util.stream.Collectors; import javax.servlet.Filter; import javax.servlet.FilterChain; @@ -90,6 +91,13 @@ public class ContextFilter implements Filter { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; + String body = request.getReader().lines().collect(Collectors.joining()); + if (body.contains("</serializable>")) { + Debug.logError("Content not authorised for security reason", MODULE); // Cf. OFBIZ-12332 + return; + } + + // ----- Servlet Object Setup ----- // set the ServletContext in the request for future use