CyberSec.Space Logo
Back to CVE Browser

CVE-2019-0189

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1530%
EPSS Percentile12.65th
PublishedSep 11, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16

Affected Platforms (CPE)

πŸ“¦
Apache

Ofbiz

>= 16.11.01 and < 16.11.06

References & Advisories

πŸ”— https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E

Related Vulnerabilities

CVE-2013-225010.0

Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote atta...

CVE-2012-350610.0

Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attac...

CVE-2019-100749.8

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on ...

CVE-2018-172009.8

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtool...