oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Apache OFBiz - Java Deserialization via RMI Connection (CVE-2022-29063)

From: Jacques Le Roux <jleroux () apache org>
Date: Fri, 2 Sep 2022 08:25:13 +0200
Severity:
Low (only on shared servers)

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 18.12.06

Description:
The OFBiz Solr plugin is configured by default to automatically make a
RMI request on localhost, port 1099. By hosting a malicious RMI server
on localhost, an attacker may exploit this behavior

Mitigation:
Upgrade to at least 18.12.06
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646

Credit:
Matei "Mal" Badanoiu

References:
http://ofbiz.apache.org/download.html#vulnerabilities
Previous By Date Next
Previous By Thread Next

Current thread: