The Apache Software Foundation addressed last week a high severity vulnerability in Apache OFBiz, tracked as CVE-2021-26295, that could have allowed a remote, unauthenticated attacker to take over the ERP system.
Unsafe deserialization occurs when malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This category of issue could compromise the availability, authorization process, and bypass access control.
Apache OFBiz is an open-source enterprise resource planning (ERP) system that provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
The issue is unsafe deserialization that affects versions prior to 17.12.06, it could allow unauthorized remote attackers to execute arbitrary code on the server and potentially take over the open-source ERP system.
“Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.” wrote Jacques Le Roux.
The flaw was reported by r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi’anxin Group, and Longofo at Knownsec 404 Team.
Admins have to upgrade their OFBiz install to the latest version (17.12.06) as soon as possible.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, OFBiz)