Access Control: Apache OFBiz - JNDI Remote Code Execution (Apache Log4j)¶
Identifier:
apache_ofbiz_log4j_rce
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library due to insufficient protections on message lookup substitutions, allowing unauthenticated attackers to execute arbitrary code.
How we test: We test for Log4j remote code execution vulnerabilities in Apache OFBiz by injecting JNDI lookup payloads into user-controlled input and analyzing responses to detect if remote code execution is possible.
Reference:
- https://issues.apache.org/jira/browse/OFBIZ-12449
- https://ofbiz.apache.org/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.