Apache OFBiz Remote Code Execution Vulnerability Alert

Apache OFBiz is an open-source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. OFBiz is an Apache Software Foundation top-level project. On April 27, 2021, Apache OFBiz had issued the vulnerability risk notice [1][2] to alert 2 security vulnerabilities. The vulnerability numbers were CVE-2021-29200 and CVE-2021-30128.
CVE-2021-26295

Vulnerability Detail

CVE-2021-29200: RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Due to the Java RMI deserialization vulnerability in Apache OFBiz, unauthenticated users can perform RCE attacks, causing the server to be taken over.
CVE-2021-30128: Unsafe deserialization in OFBiz
Due to the insecure deserialization of Apache OFBiz, it may cause code execution and the server to be taken over.

Affected version

  • Apache OFBiz < 17.12.07

Unaffected version

  • Apache OFBiz 17.12.07

Solution

In this regard, we recommend that users upgrade Apache OFBiz to the latest version in time.