SB2017083013 - Multiple vulnerabilities in OFBiz

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2016-4462)

The vulnerability allows a remote authenticated user to execute arbitrary code.

By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01

2) Cross-site scripting (CVE-ID: CVE-2016-6800)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01.

Remediation

Install update from vendor's website.

References

• http://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html
• https://lists.apache.org/thread.html/28987cffe0237fa67eca9de8bbbc04a917ac8785342ad9e5a196c978@%3Cuser.ofbiz.apache.org%3E
• https://s.apache.org/Owsz