RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI — Patch to the latest version.
CVE-2021-26295 — Apache OFBiz Vulnerability
Apache OFBiz is an open source enterprise resource planning system. OFBiz is an Apache Software Foundation top level project.
Also, It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
Apache OFBiz has unsafe deserialization prior to 17.12.06. The vulnerability addressed as HIGH severity vulnerability allow an unauthenticated adversary to remotely seize control of the open-source Enterprise Resource Planning (ERP) system.
However, An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
Specifically, by exploiting this flaw — to insert arbitrary code a malicious party can tamper with serialized data that, when deserialized, can potentially result in remote code execution.
The versions affected due to this vulnerability — OFBiz versions prior to 17.12.06
Importantly, To mitigate the risk associated with the flaw it’s recommended to upgrade Apache OFBiz to the latest version (17.12.06)