The Apache Software Foundation addressed last week a high severity vulnerability in Apache OFBiz, tracked as CVE-2021-26295, that could have allowed a remote, unauthenticated attacker to take over the ERP system.
Unsafe deserialization occurs when malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This category of issue could compromise the availability, authorization process, and bypass access control.
Apache OFBiz is an open-source enterprise resource planning (ERP) system that provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
The issue is unsafe deserialization that affects versions prior to 17.12.06, it could allow unauthorized remote attackers to execute arbitrary code on the server and potentially take over the open-source ERP system.
“Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.” wrote Jacques Le Roux.
The flaw was reported by r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi’anxin Group, and Longofo at Knownsec 404 Team.
Admins have to upgrade their OFBiz install to the latest version (17.12.06) as soon as possible.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, OFBiz)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.