Security News > 2021 > March > Critical RCE Vulnerability Found in Apache OFBiz ERP Software—Patch Now
![Critical RCE Vulnerability Found in Apache OFBiz ERP Software—Patch Now](/static/build/img/news/critical-rce-vulnerability-found-in-apache-ofbiz-erp-software-patch-now.jpg)
The Apache Software Foundation on Friday addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning system.
Tracked as CVE-2021-26295, the flaw affects all versions of the software prior to 17.12.06 and employs an "Unsafe deserialization" as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.
OFBiz is a Java-based web framework for automating enterprise processes and offers a wide range of functionality, including accounting, customer relationship management, manufacturing operations management, order management, supply chain fulfillment, and warehouse management system, among others.
"An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz," OFBiz developer Jacques Le Roux noted.
Unsafe deserialization has been a source of data integrity and other security issues, with the Open Web Application Security Project noting that "Data which is untrusted cannot be trusted to be well formed, [and that] malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized."
It's recommended to upgrade Apache OFBiz to the latest version to mitigate the risk associated with the flaw.
News URL
Related news
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) (source)
- Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (source)
- HPE Aruba Networking fixes four critical RCE flaws in ArubaOS (source)
- Patch up – 4 critical bugs in ArubaOS lead to remote code execution (source)
- Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (source)
- Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw (source)
- Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability (source)
- Week in review: Veeam fixes RCE flaw in backup management platform, Patch Tuesday forecast (source)
- CISA Warns of Actively Exploited Apache Flink Security Vulnerability (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-03-22 | CVE-2021-26295 | Deserialization of Untrusted Data vulnerability in Apache Ofbiz Apache OFBiz has unsafe deserialization prior to 17.12.06. | 9.8 |