You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Scott Gray <sc...@hotwaxsystems.com> on 2020/11/16 19:08:50 UTC
[CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments
Hi everyone,
I was recently made aware of an attack on an OFBiz deployment using the
vulnerability described below. The attackers were able to exploit the
xmlrpc endpoint to initiate a full export of the database. Fortunately
this deployment had an extremely large database and the attempt set off a
number of alerts which enabled the attack to be halted before any harm was
done. A smaller (or lightly monitored) OFBiz installation would probably
not have been so fortunate.
Just sharing this to let everyone know that this vulnerability is being
exploited in the wild and if you haven't taken steps to lock down this
endpoint then you should do so ASAP. Please also share this warning with
anyone you know who might be affected but perhaps don't keep an eye on this
list.
https://issues.apache.org/jira/browse/OFBIZ-11716
Regards
Scott
Re: [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC
arguments
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks for the warning Scott!
Security needs to be taken seriously before damages are done.
Jacques
Le 16/11/2020 à 20:08, Scott Gray a écrit :
> Hi everyone,
>
> I was recently made aware of an attack on an OFBiz deployment using the
> vulnerability described below. The attackers were able to exploit the
> xmlrpc endpoint to initiate a full export of the database. Fortunately
> this deployment had an extremely large database and the attempt set off a
> number of alerts which enabled the attack to be halted before any harm was
> done. A smaller (or lightly monitored) OFBiz installation would probably
> not have been so fortunate.
>
> Just sharing this to let everyone know that this vulnerability is being
> exploited in the wild and if you haven't taken steps to lock down this
> endpoint then you should do so ASAP. Please also share this warning with
> anyone you know who might be affected but perhaps don't keep an eye on this
> list.
>
> https://issues.apache.org/jira/browse/OFBIZ-11716
>
> Regards
> Scott