Re: [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments
Thanks for the warning Scott! Security needs to be taken seriously before damages are done. Jacques Le 16/11/2020 à 20:08, Scott Gray a écrit : Hi everyone, I was recently made aware of an attack on an OFBiz deployment using the vulnerability described below. The attackers were able to exploit the xmlrpc endpoint to initiate a full export of the database. Fortunately this deployment had an extremely large database and the attempt set off a number of alerts which enabled the attack to be halted before any harm was done. A smaller (or lightly monitored) OFBiz installation would probably not have been so fortunate. Just sharing this to let everyone know that this vulnerability is being exploited in the wild and if you haven't taken steps to lock down this endpoint then you should do so ASAP. Please also share this warning with anyone you know who might be affected but perhaps don't keep an eye on this list. https://issues.apache.org/jira/browse/OFBIZ-11716 Regards Scott
[CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments
Hi everyone, I was recently made aware of an attack on an OFBiz deployment using the vulnerability described below. The attackers were able to exploit the xmlrpc endpoint to initiate a full export of the database. Fortunately this deployment had an extremely large database and the attempt set off a number of alerts which enabled the attack to be halted before any harm was done. A smaller (or lightly monitored) OFBiz installation would probably not have been so fortunate. Just sharing this to let everyone know that this vulnerability is being exploited in the wild and if you haven't taken steps to lock down this endpoint then you should do so ASAP. Please also share this warning with anyone you know who might be affected but perhaps don't keep an eye on this list. https://issues.apache.org/jira/browse/OFBIZ-11716 Regards Scott
