Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-2170: Apache OFBiz 13.07.02 / 13.07.01 Information Disclosure ≈ Packet Storm

Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

CVE
#vulnerability#apache#java
==========================================CVE-2016-2170: Apache OFBiz information disclosure vulnerabilitySeverity: ImportantVendor:The Apache Software FoundationVersions Affected:Apache OFBiz 13.07.02 and 13.07.01Apache OFBiz 12.04.05 and earlier releases in the series (12.04.*)The unsupported releases 11.04.*,  10.04.*  and 09.04 versions are also affected but not fixed.Description:The infamous Java serialization vulnerabilityMitigation:13.07.* users should upgrade to 13.07.0312.04.05 users should upgrade to 12.04.06 (Note though that in 12.04.06 RMI is not deactivated so you should use the recommended remediation: notsoserial)Credit:This infamous issue was confirmed to be an issue in OFBiz by the OFBiz team, due to two external Java libraries and RMI usage.Remediation:Apart when using RMI with 12.04.03 version nothing is needed. But with any version, if you use  JNDI, JMX or Spring and maybe other Java classes, please check the references (hint: use notsoserial with your own whitelist)References:https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability==========================================

Related news

CVE-2022-47501: The Apache OFBiz® Project - Security

Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907