Friday, September 13, 2024
HomeCVE/vulnerabilityRCE Flaw in Apache OFBiz Allowed An Attackers to Take Over The...

RCE Flaw in Apache OFBiz Allowed An Attackers to Take Over The ERP System

Published on

The developers at Apache Software Foundation have recently fixed a critical RCE flaw (CVE-2021-26295) in Apache OFBiz. This flaw could allow an unauthenticated attacker to remotely execute and take control of a vulnerable open source Enterprise Resource Planning system (ERP).

Apache OFBiz is a Java-based platform that is designed to automate various corporate processes. OFBiz offers a wide range of functions and here we have mentioned them below:-

  • Accounting
  • Customer relationship management
  • Manufacturing operations management
  • Order management
  • Supply chain control
  • Warehouse management system

CVE-2021-26295 – RCE vulnerability in latest Apache OFBiz

  • Severity: High
  • Vendor: The Apache Software Foundation
  • Versions Affected: OFBiz versions prior to 17.12.06

This RCE flaw affects all the versions of the software prior to 17.12.06, and the security researchers have classified this flaw as high. This flaw allows an unauthorized attacker to use “insecure deserialization” as an attack vector to execute arbitrary code on the server remotely.

- Advertisement - EHA

In short, a remote attacker can easily change the serialized data simply by injecting the arbitrary code into it, during the deserialization, and as a result, this could lead execution of this code remotely.

Expert’s advice

Cybersecurity analysts have recommended users to immediately update their current system version to the latest version (17.12.06), to avoid being exploited by hackers.

Moreover, the teams of cybersecurity researchers, r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi’anxin Group, and Longofo at Knownsec 404 have been also credited for reporting this critical RCE security flaw.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Docker Desktop Vulnerabilities Let Attackers Execute Remote Code

Docker has addressed critical vulnerabilities in Docker Desktop that could allow attackers to execute...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

CosmicBeetle Exploiting Old Vulnerabilities To Attacks SMBs All Over The World

CosmicBeetle, a threat actor specializing in ransomware, has recently replaced its old ransomware, Scarab,...

Researchers Hacked Car EV Chargers To Execute Arbitrary Code

Researchers discovered flaws in the Autel MaxiCharger EV charger that make it potential to...