HomePentest-Tools.com Logo

Apache OFBiz - Remote Code Execution CVE-2021-26295

Severity
CVSSv3 Score
9.8
Vulnerability description

We found that the target server is vulnerable to CVE-2021-26295, a Remote Code Execution vulnerability in the Apache OFBiz server, affecting the /webtools/control/SOAPService endpoint. The root cause of this vulnerability consists in a logic error in source code of class SafeObjectInputStream which allow insecure object deserialization. Therefore, an unauthenticated remote attacker can send an HTTP POST request to the /webtools/control/SOAPService endpoint that contains XML data, encapsulating a malicious Java object, in order to execute code on the target server. We have detected this vulnerability by sending an HTTP POST request to the vulnerable endpoint that contains a payload for the whoami command and then parsing the output that is sent to one of our loggers. We send the response to a logger because this is an Out-of-Band vulnerability, meaning that the output of the command is not reflected in the response.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Upgrade the Apache Ofbiz to the latest version or to a version higher than 17.12.08.

Codename
Not available
Detectable with
Network Scanner
Scan engine
Sniper
Exploitable with Sniper
Yes
CVE Published
Mar 1, 2021
Detection added at
Software Type
Planning system
Vendor
Apache
Product
OFBiz