Critical RCE Vulnerability Found in Apache OFBiz ERP Software

The Apache Software Foundation on 19th March 2021 addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning (ERP) system. The flaw affects all versions of the software prior to 17.12.06 and employs an "unsafe deserialization" as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.


Affected CVE-CVE-2021-26295


How the exploitation works?

  1. OFBiz is a Java-based web framework for automating enterprise processes and offers a wide range of functionality, including accounting, customer relationship management, manufacturing operations management, order management, supply chain fulfilment, and warehouse management system, among others.
  2. Specifically, by exploiting this flaw, a malicious party can tamper with serialized data to insert arbitrary code that, when deserialized, can potentially result in remote code execution.
  3. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
  4. Unsafe deserialization has been a source of data integrity and other security issues, with the Open Web Application Security Project (OWASP) noting that data which is untrusted cannot be trusted to be well formed, [and that] malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.


It is recommended to upgrade Apache OFBiz to the latest version (17.12.06) to mitigate the risk associated with the flaw.