Rewterz Threat Advisory – Multiple Apache Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-30638

Apache Tapestry allows a remote attacker to obtain sensitive information on the affected system. The vulnerability is caused by a flaw in the context asset handling. The vulnerability can be exploited by an attacker by sending a specially crafted URL request that downloads arbitrary files inside WEB-INF. This information can be used to launch further attacks on the system.

CVE-2021-30128; CVE-2021-29200

Apache OFBiz allows a remote attacker to execute arbitrary codes on the system. The vulnerability is caused by an unsafe deserialization flaw. The vulnerability can be exploited by an attacker by sending a specially crafted input request to execute arbitrary codes on the system.

CVE-2021-28125

Apache Superset allows a remote attacker to conduct phishing attacks. The vulnerability is caused by an open redirect vulnerability in the dashboard. The vulnerability can be exploited by an attacker by sending a specially crafted URL request that redirects a victim to arbitrary websites.

CVE-2020-17517

Apache Ozone allows a remote attacker to obtain sensitive information on the affected system. The vulnerability is caused by improper access control. The vulnerability can be exploited by an attacker by sending a specially crafted curl command or HTTP request that obtains buckets and keys information. This information can be used to launch further attacks on the system.

Impact

• Denial of Service
• Information Security
• Information Disclosure
• Remote Code Execution

Affected Vendors

Apache

Affected Products

• Apache Tapestry 4.0
• Apache OFBiz 17.12.06
• Apache Superset 1.0.0
• Apache Ozone 1.0.0
• Apache Tapestry 5.6.3
• Apache Tapestry 5.7.0
• Apache Tapestry 5.7.1

Remediation

Download the latest patches and upgrade to the latest versions of Apache Tapestry, Apache OFBiz, Apache Superset, and Apache Ozone from https://www.apache.org/