CVE-2019-0189 Details

CVE-2019-0189

Published: 2019-09-11
Last Modified: 2020-02-06
CVE Author: NIST National Vulnerability Database
CVE Assigner: security@apache.org
Summary

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16

Analysis
Common Vulnerability Score System v2.0
Severity High
Base Score 7.5/10
Exploit Score 10/10
Access Vector Network
Access Complexity Low
Authentication None
Impact Score 6.4/10
Confidentiality Impact Partial
Availability Impact Partial
Integrity Impact Partial
Vector String AV:N/AC:L/Au:N/C:P/I:P/A:P
Common Vulnerability Score System v3.1
Severity Critical
Base Score 9.8/10
Exploit Score 3.9/10
Access Vector Network
Access Complexity Low
Privileges Required None
Impact Score 5.9/10
Confidentiality Impact High
Availability Impact High
Integrity Impact High
Scope Unchanged
User Interaction None
Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Products Reported
CPE Vulnerable Start Excluding
cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* Yes 16.11.01 16.11.06
References

https://s.apache.org/hsn2g
https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a
https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640
https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d672
https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870a
https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c503
https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c24
https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f97
https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc1
https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61e
https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf7520
https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf7
https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236a

CVE ID
CVE-2019-0189
Published
2019-09-11
Modified
2020-02-06
CVSSv2.0
High
CVSSv3.1
Critical
PCI Compliance
Fail
US-CERT Alert
No
CWE
CWE-502

Free Vulnerability Scanning, Assessment and Management

Mageni's Platform is packed with all the features you need to scan, assess and manage vulnerabilities like this - it is free, open source, lightning fast, reliable and scalable.

Router
Servers
Laptop
Database
Group
Cloud

Frequently Asked Questions

No, you can scan concurrently as many assets as you want. Please note that you must be aware of the hardware requeriments of the platform to ensure a good performance.

No, you can add as many assest as you want. It doesn't matters if you have millions of assets, we won't charge you for that.

No. The software is completely free. We have no intention to charge you to use the software, in fact - it completely goes against our beliefs and business model.

A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005)

We generate revenue by providing support and other services for customers that require a subscription so they get guaranteed support and enterprise services. To use Mageni's Platform is completely free, with no limits at all.

Yes. Mageni understands that there are professionals and businesses that need commercial support so Mageni provides an active support subscription with everything needed to run Mageni's Platform reliably and securely. More than software, it's access to security experts, knowledge resources, security updates, and support tools you can't get anywhere else. The subscription includes:

  • Ongoing delivery
    • Patches
    • Bug fixes
    • Updates
    • Upgrades
  • Technical support
    • 24/7 availability
    • Unlimited Incidents
    • Specialty-based routing
    • Multi-Channel
  • Commitments
    • Software certifications
    • Software assurance
    • SLA

No, we don't store the information of your vulnerabilities in our servers.

Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization. The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc. Source: "Implementing a Vulnerability Management Process". SANS Institute.

I am ready to start scanning for vulnerabilities