QwikSec

Security Database

CVE

CWE

Training

CVE-2019-0189

Published: Sep 11, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16

Vendor	Product	Versions
Apache	OFBiz	affected `OFBiz 16.11.01 to 16.11.05`

References

[ofbiz-dev] 20190910 [CVE-2019-0189] Apache OFBiz remote code execution and arbitrary file delete via Java

mailing-list

x_refsource_MLIST

[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)

mailing-list

x_refsource_MLIST

[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10770) Update Apache commons-fileupload to last version (CVE-2019-0189)

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200206 svn commit: r1873710 - in /ofbiz/site: security.html template/page/security.tpl.php

mailing-list

x_refsource_MLIST

[ofbiz-notifications] 20200224 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200224 [ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200224 [ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200224 [ofbiz-framework] branch release18.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

mailing-list

x_refsource_MLIST

[ofbiz-notifications] 20200224 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)

mailing-list

x_refsource_MLIST

[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200430 [ofbiz-site] branch master updated: Update for 2 last CVEs: CVE-2019-0235 & CVE-2019-12425

mailing-list

x_refsource_MLIST

[ofbiz-notifications] 20200502 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.