CVE-2018-17200

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions prior to 16.11.06

Description The issue exists due to insufficient input validation in the Apache OFBiz HTTP engine, specifically in the org.apache.ofbiz.service.engine.HttpEngine.java component. This allows a remote attacker to execute arbitrary code by sending a specially crafted request to the "/webtools/control/httpService" endpoint, which deserializes the serviceContent parameter using XStream. Although the XStream instance has some protection by disabling the creation of ProcessBuilder, this protection can be easily bypassed in multiple ways.

Recommendations For Apache OFBiz versions prior to 16.11.06: Upgrade to 16.11.06 or manually apply the commits on branch 16 r1850017+1850019 to resolve the issue. As a temporary workaround, consider restricting access to the "/webtools/control/httpService" endpoint to minimize the risk of exploitation. Avoid using the serviceContent parameter in the affected API endpoint until the issue is resolved.