Is anyone else getting a bunch of false positives from this new check? Since the check was released on the 5th Sept, it’s showing up all over my environment on machines that have no Apache OFBiz installed. For example, we have Cisco security appliances which are showing as positive
The Proof section is pretty vague. This is from one my my machines, but other machines are pretty identical results wise.
I want to add to this as well. These are getting picked up from desktop assets to servers to networking equipment. We don’t use Apache OFBiz. I do plan to create a ticket to r7 regarding this. Maybe they can shed some light on how their check is running exactly.
After opening a ticket and providing some logs and additional proof that we are not utilizing this OFBiz software, the Rapid7 support engineer responded to my open ticket with the following this morning: “Our Engineering team is aware and actively working on a resolution. We will provide an update once more information becomes available.”
We have also opened a ticket about this and got today the notification, that it should be fixed:
“We’re pleased to let you know that our engineering team released a fix for this reported CVE related to Apache OFBiz.
You may run a scan to verify or wait for the next scheduled scan.”
Wanted to provide a quick update. After sending in a ticket with all the relevant logs, etc. r7 said it was fixed. Rescanned and sure enough, all OFBiz vulns went away.