CVE-2022-29158: 
Apache OFBiz vulnerability analysis and mitigation

Apache OFBiz versions up to 18.12.05 were found to be vulnerable to a Regular Expression Denial of Service (ReDoS) vulnerability, identified as CVE-2022-29158. The vulnerability was discovered in the way the application handles URLs provided by external, unauthenticated users. The issue was reported on April 12, 2022, and a fix was released in version 18.12.06 on September 2, 2022 (GitHub Security Lab).

The vulnerability exists in the UtilHttp.java file where a complex regular expression pattern is used to identify URLs in HTTP request parameters. The regex pattern contains nested repetitions that can cause catastrophic backtracking, leading to exponential processing time. The vulnerable code is triggered when user-provided URLs don't contain allowed protocols and are processed through the extractUrls method. The issue has a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, GitHub Security Lab).

The vulnerability can lead to a denial of service condition through resource consumption. When exploited, the application server can become unresponsive due to the exponential time required to process specially crafted URLs. This is particularly impactful as the vulnerability can be triggered by unauthenticated users with a single HTTP request (GitHub Security Lab).

Users are advised to upgrade to Apache OFBiz version 18.12.06 or later. Alternatively, patches can be applied from the Apache Jira issue OFBIZ-12599. The vulnerability has been fixed in the latest release, which addresses the ReDoS issue (Openwall).