[ofbiz-framework] branch release18.12 updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)

Fri, 08 Oct 2021 10:17:54 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new d6d8630  Fixed: post-auth Remote Code Execution Vulnerability 
(OFBIZ-12332)
d6d8630 is described below

commit d6d863020c0fe89f949e5d2cd23d5ecc95d68c4c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Oct 8 19:13:20 2021 +0200

    Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
    
    As reported by Jie Zhu:
    <<The latest version of the OFBiz framework (17.12.08) is affected by an
    XMLRPC Remote Code Execution Vulnerability.
    This vulnerability is caused by incomplete patch repair of cve-2020-9496.>>
    
    Actually this is not an OFBiz bug (so not related to CVE-2020-9496)
    but an old XMLRPC bug (Archiva was(/is?)) also affected:
    https://nvd.nist.gov/vuln/detail/CVE-2016-5003
    
    Unfortunately XMLRPC is no longer maintained, so it's OFBiz responsibility 
to
    fix this bug.
    
    As the code that secures serialisation in OFBiz is not reached by this bug, 
the
    solution is to secure it at the ContextFilter class level (ie before it 
reaches
    secured serialisation in OFBiz source).
    
    Thanks: Jie Zhu for report and help.
---
 .../main/java/org/apache/ofbiz/webapp/control/ContextFilter.java  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
index 397ee92..46cf063 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
@@ -20,6 +20,7 @@ package org.apache.ofbiz.webapp.control;
 
 import java.io.IOException;
 import java.util.Enumeration;
+import java.util.stream.Collectors;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -94,6 +95,13 @@ public class ContextFilter implements Filter {
         HttpServletRequest httpRequest = (HttpServletRequest) request;
         HttpServletResponse httpResponse = (HttpServletResponse) response;
 
+        String body = 
request.getReader().lines().collect(Collectors.joining());
+        if (body.contains("</serializable>")) {
+            Debug.logError("Content not authorised for security reason", 
MODULE); // Cf. OFBIZ-12332
+            return;
+        }
+
+
         // ----- Servlet Object Setup -----
 
         // set the ServletContext in the request for future use

Reply via email to