'Subject: [CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java serialisation using R'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-announce
Subject:    Subject: [CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java serialisation using R
From:       "jleroux () apache ! org" <jleroux () apache ! org>
Date:       2021-03-21 13:01:28
Message-ID: f8a84478-af53-adb1-21c7-db3174e81b7b () apache ! org
[Download RAW message or body]

Severity:
High

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.06

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.06.
An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

Mitigation:
Upgrade to at least 17.12.06
or apply the patch at https://github.com/apache/ofbiz-framework/commit/af9ed4e/

Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <r00t4dm@gmail.com>
MagicZero from SGLAB of Legendsec at Qi'anxin Group.
Longofo at Knownsec 404 Team

References:
http://ofbiz.apache.org/download.html#vulnerabilities

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic