Posts

Apache OFBiz, Vulnerability

Overview:

  Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. Apache OFBiz is a framework that provides a common data model and a set of business processes. Beyond the framework itself, Apache OFBiz offers the following functionality:

  • Accounting (agreements, invoicing, vendor management, general ledger)
  • Asset maintenance
  • Catalogue and product management
  • Facility and warehouse management system (WMS)
  • Manufacturing execution / manufacturing operations management (MES/MOM)
  • Order processing
  • Inventory management
  • Automated stock replenishment etc.
  • Content management system (CMS)
  • Human resources (HR)
  • People and group management
  • Project management sales force automation
  • Work effort management
  • Electronic point of sale (ePOS)
  • Electronic commerce (eCommerce) and scrum (development)

  An insecure deserialization vulnerability has been reported in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request.

  Successful exploitation would result in arbitrary code execution.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-30128

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to missing input validation for malicious payloads sent in the [wpv-noautop]”cus-obj” tag[/wpv-noautop] XML element when a HTTP request is sent to the [wpv-noautop]”/webtools/control/SOAPService”[/wpv-noautop] Request-URI and also due to the existence of the secure deserialization bypass in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop].

  The requests sent to this endpoint is initially handled by the Java class [wpv-noautop]”org.apache.ofbiz.webapp.control.RequestHandler”[/wpv-noautop] which determines the mapping for the URL. Next, the [wpv-noautop]invoke()[/wpv-noautop] method is called in the [wpv-noautop]”org.apache.ofbiz.webapp.event.SOAPEventHandler”[/wpv-noautop] class. This method then calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.service.engine.SoapSerializer”[/wpv-noautop] which calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop].

  The SOAP XML parsing is implemented in method [wpv-noautop]deserializeSingle()[/wpv-noautop] method in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop]. If the tag name is [wpv-noautop]”cus-obj”[/wpv-noautop], the value of that XML element is stripped of all the space and colon [wpv-noautop]’:'[/wpv-noautop] characters in the method [wpv-noautop]fromHexString()[/wpv-noautop] also in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.StringUtil”[/wpv-noautop] and the resulting byte array is passed to the method [wpv-noautop]getObject()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.UtilObject”[/wpv-noautop]. This method then calls the method [wpv-noautop]getObjectException()[/wpv-noautop] in the Java class [wpv-noautop]org.apache.ofbiz.base.util.UtilObject[/wpv-noautop] where the insecure deserialization can occur.

  Note, that the code in the [wpv-noautop]getObjectException()[/wpv-noautop] method utilizes custom class called [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] which extends Java standard library class ObjectInputStream. The Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] employs a whitelist of classes that are allowed to be deserialized. It allows deserialization of classes which contain the string [wpv-noautop]”java.”[/wpv-noautop].

  Also, the overloaded [wpv-noautop]resolveClass()[/wpv-noautop] method in this class calls the custom method [wpv-noautop]loadClass()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.ObjectType”[/wpv-noautop]. The code in the method [wpv-noautop]loadClass()[/wpv-noautop] removes the name of the class to be loaded any string following and including the character ‘<'. This ensures that generic classes can be loaded. Additionally, the deserialization logic in JDK standard library class [wpv-noautop]ObjectStreamClass[/wpv-noautop] only checks the names of the classes before the deserialization by examining the name of the class after the last [wpv-noautop]'.'[/wpv-noautop] character (i.e., it does not check the entire class name before proceeding with the deserialization of the class). Therefore, an attacker can craft the serialized object with slightly altered class name that will be bypass the whitelist and JDK deserialization code that ensures the correct class is deserialized.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious HTTP request containing a crafted XML payload in the body of the HTTP request. Since OFBiz also uses a vulnerable versions of Apache Commons BeanUtils or ROME libraries, an attacker can craft malicious XML payload by employing the ysoserial gadget tool and by changing all the class names in the serialized object as described above.

  Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the user running the application.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends an HTTP request containing a maliciously crafted serialized object within the SOAP data to
the affected target. The vulnerability is triggered when the server deserializes the data.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over ports 8080/TCP, 8443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 14804 Apache OFBiz Insecure Deserialization 1
  • IPS: 14805 Apache OFBiz Insecure Deserialization 2
  • IPS: 15485 Apache OFBiz Insecure Deserialization 3
  • IPS: 15548 Apache OFBiz Insecure Deserialization 4
  • IPS: 15549 Apache OFBiz Insecure Deserialization 5

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking communication between Apache OFBiz and untrusted networks.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic.

The vendor has released the following advisory regarding this vulnerability:
https://ofbiz.apache.org/security.htm