¡¾Îó²îͨ¸æ¡¿Apache OFBiz XML-RPCÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2023-49070£©

Ðû²¼Ê±¼ä 2023-12-06


Ò»¡¢Îó²î¸ÅÊö

CVE   ID

CVE-2023-49070

·¢Ã÷ʱ¼ä

2023-12-06

Àà    ÐÍ

RCE

µÈ    ¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

¹¥»÷ÖØƯºó

µÍ

Óû§½»»¥

ÎÞ

PoC/EXP

δ֪

ÔÚҰʹÓÃ

δ֪

 

Apache OFBiz£¨Apache Open For Business£©ÊÇÒ»¸ö¿ªÔ´¿ò¼Ü£¬Ö¼ÔÚ×ÊÖú¹¹½¨ÆóÒµ×ÊÔ´ÍýÏ루ERP£©Èí¼þ¡£

XML-RPCÊÇÒ»¸öÔ¶³ÌÀú³ÌŲÓõÄÂþÑÜʽÅÌËãЭÒ飬ͨ¹ýXML½«Å²Óú¯Êý·â×°£¬²¢Ê¹ÓÃHTTPЭÒé×÷Ϊ·¢ËÍ»úÖÆ¡£Apache XML-RPCÊÇXML-RPCµÄÒ»¸öJavaʵÏÖ¡£

12ÔÂ6ÈÕ£¬ÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍøVSRC¼à²âµ½ApacheÐû²¼Ç徲ͨ¸æ£¬ÐÞ¸´ÁËOFBizÖеÄÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2023-49070£©¡£

Apache OFBiz °æ±¾18.12.10֮ǰ£¬ÓÉÓÚʹÓÃÁ˲»ÔÙά»¤µÄApache XML-RPC£¬ÍþвÕß¿É·¢ËÍÌØÖÆHTTP ÇëÇóµ½ XML-RPC½Ó¿Ú/webtools/control/xmlrpcÈƹý½Ó¿Ú¹ýÂËÏÞÖÆ£¨CVE-2020-9496£©£¬ÀÖ³ÉʹÓøÃÎó²î¿ÉÄܵ¼ÖÂí§Òâ´úÂëÖ´ÐС£

 

¶þ¡¢Ó°Ïì¹æÄ£

Apache OFBiz °æ±¾< 18.12.10

×¢£ºOFBiz¹Ù·½ÒÑÓÚ4ÔÂÖ÷·ÖÖ§´úÂëÖÐɾ³ýXML-RPCÏà¹Ø´úÂ룬µ«ÔÚApache OFBizµÄÕýʽÐû²¼°æ±¾ÖУ¬°æ±¾18.12.10³¹µ×ÒƳýÁËXML-RPC¹¦Ð§¡£

 

Èý¡¢Çå¾²²½·¥

3.1 Éý¼¶°æ±¾

ÏÖÔÚ¸ÃÎó²îÒѾ­ÐÞ¸´£¬ÊÜÓ°ÏìÓû§¿ÉÉý¼¶µ½ÒÔÏ°汾£º

Apache OFBiz °æ±¾>= 18.12.10

ÏÂÔØÁ´½Ó£º

https://ofbiz.apache.org/download.html

3.2 ÔÝʱ²½·¥

Èô·ÇÐëÒª¿ÉÑ¡Ôñ½ûÓÃXML-RPC½Ó¿Ú£¬»òͨ¹ýÍøÂç²ãÃæµÄ»á¼û¿ØÖÆ£¬ÏÞÖƶÔXML-RPC½Ó¿ÚµÄ»á¼û¡£

3.3 ͨÓý¨Òé

l  °´ÆÚ¸üÐÂϵͳ²¹¶¡£¬ïÔ̭ϵͳÎó²î£¬ÌáÉý·þÎñÆ÷µÄÇå¾²ÐÔ¡£

l  ÔöǿϵͳºÍÍøÂçµÄ»á¼û¿ØÖÆ£¬Ð޸ķÀ»ðǽսÂÔ£¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻò·þÎñ£¬ïÔÌ­½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬ïÔÌ­¹¥»÷Ãæ¡£

l  ʹÓÃÆóÒµ¼¶Çå¾²²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂçÇå¾²ÐÔÄÜ¡£

l  ÔöǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬ÆôÓöàÒòËØÈÏÖ¤»úÖƺÍ×îСȨÏÞÔ­Ôò£¬Óû§ºÍÈí¼þȨÏÞÓ¦¼á³ÖÔÚ×îµÍÏ޶ȡ£

l  ÆôÓÃÇ¿ÃÜÂëÕ½ÂÔ²¢ÉèÖÃΪ°´ÆÚÐ޸ġ£

3.4 ²Î¿¼Á´½Ó

https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3

https://issues.apache.org/jira/browse/OFBIZ-12812

https://mp.weixin.qq.com/s/23G46cJX1tm6KGE3lLyEbg

https://nvd.nist.gov/vuln/detail/CVE-2019-17570

https://nvd.nist.gov/vuln/detail/CVE-2020-9496

 

ËÄ¡¢°æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

±¸×¢

V1.0

2023-12-06

Ê×´ÎÐû²¼

 

Îå¡¢¸½Â¼

5.1 ÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍø¼ò½é

ÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍø½¨ÉèÓÚ1996Ä꣬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ½¨ÉèµÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢Çå¾²¸ß¿Æ¼¼ÆóÒµ¡£ÊǺ£ÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Çå¾²²úÆ·¡¢Çå¾²·þÎñ½â¾ö¼Æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°ÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍø´óÏ㬹«Ë¾Ô±¹¤6000ÓàÈË£¬Ñз¢ÍŶÓ1200ÓàÈË, ÊÖÒÕ·þÎñÍŶÓ1300ÓàÈË¡£ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬ÓµÓÐÁýÕÖÌìϵÄÏúÊÛϵͳ¡¢ÇþµÀϵͳºÍÊÖÒÕÖ§³Öϵͳ¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐС°å¹ÒÅÆÉÏÊС££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´£¬ÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍøÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ù·þÎñ£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·Åƶø²»Ð¸Æ𾢡£

5.2 ¹ØÓÚÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍø

ÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍøÇå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÒÑÐû²¼1000¶à¸öÎó²îͨ¸æºÍΣº¦Ô¤¾¯£¬ÎÒÃǽ«Ò»Á¬¸ú×ÙÈ«Çò×îеÄÍøÂçÇå¾²ÊÂÎñºÍÎó²î£¬ÎªÆóÒµµÄÐÅÏ¢Çå¾²±£¼Ý»¤º½¡£

¹Ø×¢ÎÒÃÇ£º

image.png