CVE-2018-17200
First published: Wed Sep 11 2019(Updated: )
The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache OFBiz | >=16.11.01<=16.11.05 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f@%3Ccommits.ofbiz.apache.org%3E
- https://s.apache.org/m9boi
- https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID for this Apache OFBiz vulnerability?
The vulnerability ID for this Apache OFBiz vulnerability is CVE-2018-17200.
What is the severity level of CVE-2018-17200?
The severity level of CVE-2018-17200 is critical.
How does the Apache OFBiz HTTP engine handle requests for HTTP services?
The Apache OFBiz HTTP engine handles requests for HTTP services via the /webtools/control/httpService endpoint.
What is the affected software for CVE-2018-17200?
The affected software for CVE-2018-17200 is Apache OFBiz version 16.11.01 to 16.11.05.
Is there a fix available for CVE-2018-17200?
Yes, there is a fix available for CVE-2018-17200. It is recommended to update to a version of Apache OFBiz that is not affected by this vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/references
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- vendor/apache
- canonical/apache ofbiz
- version/apache ofbiz/16.11.01
- version/apache ofbiz/16.11.05