RCE Flaw in Apache OFBiz Allowed An Attackers to Take Over The ERP System

The developers at Apache Software Foundation have recently fixed a critical RCE flaw (CVE-2021-26295) in Apache OFBiz. This flaw could allow an unauthenticated attacker to remotely execute and take control of a vulnerable open source Enterprise Resource Planning system (ERP).

Apache OFBiz is a Java-based platform that is designed to automate various corporate processes. OFBiz offers a wide range of functions and here we have mentioned them below:-

  • Accounting
  • Customer relationship management
  • Manufacturing operations management
  • Order management
  • Supply chain control
  • Warehouse management system

CVE-2021-26295 – RCE vulnerability in latest Apache OFBiz

  • Severity: High
  • Vendor: The Apache Software Foundation
  • Versions Affected: OFBiz versions prior to 17.12.06

This RCE flaw affects all the versions of the software prior to 17.12.06, and the security researchers have classified this flaw as high. This flaw allows an unauthorized attacker to use “insecure deserialization” as an attack vector to execute arbitrary code on the server remotely.

In short, a remote attacker can easily change the serialized data simply by injecting the arbitrary code into it, during the deserialization, and as a result, this could lead execution of this code remotely.

Expert’s advice

Cybersecurity analysts have recommended users to immediately update their current system version to the latest version (17.12.06), to avoid being exploited by hackers.

Moreover, the teams of cybersecurity researchers, r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi’anxin Group, and Longofo at Knownsec 404 have been also credited for reporting this critical RCE security flaw.

Leave a Reply