Apache OFBiz - Remote Code Execution (CVE-2021-26295)
- CVSSv3 Score
- Vulnerability description
We found that the target server is vulnerable to CVE-2021-26295, a Remote Code Execution vulnerability in the Apache OFBiz server, affecting the /webtools/control/SOAPService endpoint. The root cause of this vulnerability consists in a logic error in source code of class
SafeObjectInputStreamwhich allow insecure object deserialization. Therefore, an unauthenticated remote attacker can send an HTTP POST request to the /webtools/control/SOAPService endpoint that contains XML data, encapsulating a malicious Java object, in order to execute code on the target server. We have detected this vulnerability by sending an HTTP POST request to the vulnerable endpoint that contains a payload for the
whoamicommand and then parsing the output that is sent to one of our loggers. We send the response to a logger because this is an Out-of-Band vulnerability, meaning that the output of the command is not reflected in the response.
- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, or pivot to the internal network.
- Exploit capabilities
Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
Upgrade the Apache Ofbiz to the latest version or to a version higher than 17.12.08.
- Not available