The Apache Computer software Foundation on Friday tackled a superior severity vulnerability in Apache OFBiz that could have permitted an unauthenticated adversary to remotely seize regulate of the open up-resource organization resource arranging (ERP) method.
Tracked as CVE-2021-26295, the flaw impacts all versions of the computer software prior to 17.12.06 and employs an “unsafe deserialization” as an attack vector to allow unauthorized remote attackers to execute arbitrary code on a server straight.
OFBiz is a Java-primarily based world wide web framework for automating business procedures and features a vast variety of features, which include accounting, customer romance management, production operations administration, purchase administration, provide chain fulfillment, and warehouse administration system, amongst others.
Especially, by exploiting this flaw, a destructive get together can tamper with serialized facts to insert arbitrary code that, when deserialized, can likely final result in distant code execution.
“An unauthenticated attacker can use this vulnerability to successfully consider above Apache OFBiz,” OFBiz developer Jacques Le Roux famous.
Unsafe deserialization has been a source of information integrity and other security concerns, with the Open up World-wide-web Software Protection Challenge (OWASP) noting that “details which is untrusted simply cannot be reliable to be nicely shaped, [and that] malformed details or surprising data could be used to abuse software logic, deny service, or execute arbitrary code, when deserialized.”
r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi’anxin Team, and Longofo at Knownsec 404 Group have been credited with reporting the vulnerability.
It really is advised to upgrade Apache OFBiz to the most recent edition (17.12.06) to mitigate the danger linked with the flaw.