Apache OFBizÔ¶³Ì´úÂëÖ´Ðзì϶

°ä²¼¹¦·ò 2021-03-22

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2021-26295

ʱ   ¼ä

2021-03-22

Àà   ÐÍ

 RCE

µÈ   ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò

Apache OFBiz < 17.12.06

 

0x01 ·ì϶ÏêÇé

image.png

 

OFBizÊÇÒ»¸ö³ÛÃûµÄµç×ÓÉÌÎñƽ̨£¬ÏÖÒѳÉΪApache¶¥¼¶ÏîÄ¿¡£ËüÌṩÁË´´½¨»ùÓÚ×îÐÂJ2EE/XML¹æ·¶ºÍ¼¼Êõ³ß¶È£¬ÖØÒªÓÃÓÚ¹¹½¨´óÖÐÐÍÆóÒµ¼¶¡¢¿çƽ̨¡¢¿çÊý¾Ý¿â¡¢¿çÀûÓ÷þÎñÆ÷µÄ¶à²ã¡¢É¢²¼Ê½µç×ÓÉÌÎñÀàWEBÀûÓÃϵͳµÄ¿ò¼Ü¡£

2021Äê03ÔÂ21ÈÕ£¬Apache¹Ù·½°ä²¼°²È«²¼¸æ£¬¹«¿ªÁËApache OFBizÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2021-26295£©¡£ÓÉÓÚʹÓÃJava RMI£¨JavaÔ¶³Ì²½ÖèŲÓ㩵¼Ö²»°²È«µÄ·´ÐòÁл¯£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßÄܹ»Í¨¹ýÀûÓô˷ì϶Զ³ÌÖ´ÐдúÂ룬×îÖÕ½ÚÔìApache OFBiz¡£

 

0x02 ´ëÖý¨Òé

Ä¿Ç°¹Ù·½Òѽ¨¸´ÁË´Ë·ì϶£¬½¨ÒéÉý¼¶ÖÁApache OFBiz 17.12.06¡£

ÏÂÔØÁ´½Ó£º

https://ofbiz.apache.org/download.html

 

0x03 ²Î¿¼Á´½Ó

http://mail-archives.apache.org/mod_mbox/www-announce/202103.mbox/%3Cf8a84478-af53-adb1-21c7-db3174e81b7b@apache.org%3E

https://ofbiz.apache.org/release-notes-17.12.06.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295

 

0x04 ¹¦·òÏß

2021-03-21  Apache°ä²¼°²È«²¼¸æ

2021-03-22  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png