Apache OFBiz - Remote Code Execution (CVE-2021-26295)

We found that the target server is vulnerable to CVE-2021-26295, a Remote Code Execution vulnerability in the Apache OFBiz server, affecting the /webtools/control/SOAPService endpoint. The root cause of this vulnerability consists in a logic error in source code of class SafeObjectInputStream which allow insecure object deserialization. Therefore, an unauthenticated remote attacker can send an HTTP POST request to the /webtools/control/SOAPService endpoint that contains XML data, encapsulating a malicious Java object, in order to execute code on the target server. We have detected this vulnerability by sending an HTTP POST request to the vulnerable endpoint that contains a payload for the whoami command and then parsing the output that is sent to one of our loggers. We send the response to a logger because this is an Out-of-Band vulnerability, meaning that the output of the command is not reflected in the response.

The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, or pivot to the internal network.

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Upgrade the Apache Ofbiz to the latest version or to a version higher than 17.12.08.

https://nvd.nist.gov/vuln/detail/CVE-2021-26295

https://ridgesecurity.ai/blog/apache-ofbiz-three-deserialization-vulnerabilities-analysis-cve-2021-26295-cve-2021-29200-cve-2021-30128/