Critical RCE bug found in Apache OFBiz; everyone is advised to patch

Apache Software Foundation developers reported the release of a patch for CVE-2021-26295, a vulnerability whose successful exploitation could allow unauthenticated threat actors to take full control of the ERP system in Apache OFBiz. The flaw was described as an unsafe deserialization error, which occurs when incorrectly formatted data can be used to abuse an application’s logic, resulting in serious service flaws and even a denial of service (DoS) condition.

It should be noted that Apache OFBiz is an open source enterprise resource planning (ERP) system that provides a suite of enterprise applications that integrate and automate many of a company’s business processes.

For its part, the insecure deserialization flaw lies in versions prior to 17.12.06, and could allow unauthorized remote attackers to execute arbitrary code on the server and potentially seize the open source ERP system.

In this regard, cybersecurity researcher Jacques Le Roux mentioned: “Apache OFBiz has unsafe deserialization before 17.12.06. An unauthenticated attacker can use this vulnerability to take control of Apache OFBiz.”

The fault was reported by a group of researchers known as Cloud-Penetrating Arrow Lab’s “r00t4dm,” Legendsec’s SGLAB “MagicZero” at Qi’anxin Group and “Longofo” in Knownsec 404 Team. For security, vulnerable deployment administrators are encouraged to upgrade to the latest available version (17.12.06) as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.