====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN177
_____________________________________________________________________

DATE                : 24/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache OFBiz versions prior to
                                          17.12.06.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202103.mbox/%3cf8a84478-af53-adb1-21c7-db3174e81b7b@apache.org%3e
_____________________________________________________________________

[CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java
serialisation using RMI


Severity:
High

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.06


Description:
Apache OFBiz has unsafe deserialization prior to 17.12.06.
An unauthenticated attacker can use this vulnerability to successfully
take over Apache OFBiz.


Mitigation:
Upgrade to at least 17.12.06
or apply the patch at
https://github.com/apache/ofbiz-framework/commit/af9ed4e/


Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <r00t4dm () gmail com>
MagicZero from SGLAB of Legendsec at Qi'anxin Group.
Longofo at Knownsec 404 Team


References:
http://ofbiz.apache.org/download.html#vulnerabilities


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================