GSD-2019-0189

Vulnerability from gsd - Updated: 2023-12-13 01:23
Details
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16
Aliases
Aliases
CVE-2019-0189
To clipboard 

{
  "GSD": {
    "alias": "CVE-2019-0189",
    "description": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16",
    "id": "GSD-2019-0189"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-0189"
      ],
      "details": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16",
      "id": "GSD-2019-0189",
      "modified": "2023-12-13T01:23:40.085824Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2019-0189",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "OFBiz",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "OFBiz 16.11.01 to 16.11.05"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "remote code execution"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[ofbiz-dev] 20190910 [CVE-2019-0189] Apache OFBiz remote code execution and arbitrary file delete via Java",
            "refsource": "MLIST",
            "url": "https://s.apache.org/hsn2g"
          },
          {
            "name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8@%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10770) Update Apache commons-fileupload to last version (CVE-2019-0189)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f@%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-commits] 20200206 svn commit: r1873710 - in /ofbiz/site: security.html template/page/security.tpl.php",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151@%3Ccommits.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200224 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69@%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6@%3Ccommits.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9@%3Ccommits.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release18.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8@%3Ccommits.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200224 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd@%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e@%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d@%3Ccommits.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-commits] 20200430 [ofbiz-site] branch master updated: Update for 2 last CVEs: CVE-2019-0235 \u0026 CVE-2019-12425",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f@%3Ccommits.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200502 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7@%3Cnotifications.ofbiz.apache.org%3E"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.11.06",
                "versionStartIncluding": "16.11.01",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-0189"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[ofbiz-dev] 20190910 [CVE-2019-0189] Apache OFBiz remote code execution and arbitrary file delete via Java",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://s.apache.org/hsn2g"
            },
            {
              "name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10770) Update Apache commons-fileupload to last version (CVE-2019-0189)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-commits] 20200206 svn commit: r1873710 - in /ofbiz/site: security.html template/page/security.tpl.php",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151@%3Ccommits.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200224 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6@%3Ccommits.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release18.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8@%3Ccommits.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9@%3Ccommits.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200224 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d@%3Ccommits.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-commits] 20200430 [ofbiz-site] branch master updated: Update for 2 last CVEs: CVE-2019-0235 \u0026 CVE-2019-12425",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f@%3Ccommits.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200502 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7@%3Cnotifications.ofbiz.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-02-06T16:15Z",
      "publishedDate": "2019-09-11T21:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.