oss-sec mailing list archives
Apache OFBiz - Java Deserialization via RMI Connection (CVE-2022-29063)
From: Jacques Le Roux <jleroux () apache org>
Date: Fri, 2 Sep 2022 08:25:13 +0200
Severity: Low (only on shared servers) Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The OFBiz Solr plugin is configured by default to automatically make a RMI request on localhost, port 1099. By hosting a malicious RMI server on localhost, an attacker may exploit this behavior Mitigation: Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646 Credit: Matei "Mal" Badanoiu References: http://ofbiz.apache.org/download.html#vulnerabilities
Current thread:
- Apache OFBiz - Java Deserialization via RMI Connection (CVE-2022-29063) Jacques Le Roux (Sep 02)