Apache OFBiz Remote Code Execution Vulnerability Alert
Apache OFBiz is an open-source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. OFBiz is an Apache Software Foundation top-level project. On April 27, 2021, Apache OFBiz had issued the vulnerability risk notice [1][2] to alert 2 security vulnerabilities. The vulnerability numbers were CVE-2021-29200 and CVE-2021-30128.
Vulnerability Detail
CVE-2021-29200: RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
Due to the Java RMI deserialization vulnerability in Apache OFBiz, unauthenticated users can perform RCE attacks, causing the server to be taken over.
CVE-2021-30128: Unsafe deserialization in OFBiz
Due to the insecure deserialization of Apache OFBiz, it may cause code execution and the server to be taken over.
Affected version
- Apache OFBiz < 17.12.07
Unaffected version
- Apache OFBiz 17.12.07
Solution
In this regard, we recommend that users upgrade Apache OFBiz to the latest version in time.
