Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)
Description
Apache OFBiz contains a critical vulnerability in its Webtools XMLRPC endpoint that performs unsafe Java deserialization of user-supplied data. When processing XMLRPC requests, the application deserializes untrusted input without proper validation, allowing attackers to inject malicious serialized objects. This vulnerability affects multiple versions of Apache OFBiz and is tracked under CVE-2020-9496 and CVE-2023-49070.
Remediation
Apply the following remediation steps immediately:
1. Upgrade Apache OFBiz: Update to version 17.12.04 or later, which removes the deprecated Apache XML-RPC code that contains this vulnerability.
2. Verify the Fix: Confirm that the XMLRPC endpoint has been disabled or removed by checking that requests to /webtools/control/xmlrpc return a 404 error.
3. Review Logs: Examine application and web server logs for any suspicious XMLRPC requests or deserialization attempts that may indicate prior exploitation.
4. Network Controls: If immediate patching is not possible, restrict access to the /webtools path to trusted IP addresses only using firewall rules or web application firewall (WAF) policies as a temporary mitigation.