CVE-2019-0189

Name of the Vulnerable Software and Affected Versions: Apache Ofbiz versions prior to 16.11.06

Description: The issue is related to Java serialisation problems caused by the java.io.ObjectInputStream. It is exposed through the "webtools/control/httpService" URL and uses Java deserialization for code execution. The HttpEngine passes the value of the serviceContext request parameter to the deserialize method of XmlSerializer. Apache Ofbiz is affected due to its dependencies on "commons-beanutils" and an outdated version of "commons-fileupload".

Recommendations: For versions prior to 16.11.06, upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16. As a temporary workaround, consider restricting access to the "webtools/control/httpService" URL and limiting the use of the serviceContext parameter in the HttpEngine until the issue is resolved.