Access Control: Apache OFBiz - JNDI Remote Code Execution (Apache Log4j)¶

Identifier: apache_ofbiz_log4j_rce

Scanner(s) Support¶

Description¶

Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.

Reference:

• https://issues.apache.org/jira/browse/OFBIZ-12449
• https://ofbiz.apache.org/
• https://logging.apache.org/log4j/2.x/security.html
• https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Configuration¶

Example¶

Example configuration:

---
security_tests:
  apache_ofbiz_log4j_rce:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.