====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN247
_____________________________________________________________________

DATE                : 28/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache OFBiz versions prior to
                                        17.12.07.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202104.mbox/%3cfec5f041-0cc9-730f-478c-15926792b2a7@apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202104.mbox/%3c74ac1d8c-ad68-3ceb-8445-624bce15087f@apache.org%3e
_____________________________________________________________________

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java
serialisation using RMI

Severity:
High, possible RCE

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.07

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
An unauthenticated user can perform a RCE attack

Mitigation:
Upgrade to at least 17.12.07
or apply one of the patches at
https://issues.apache.org/jira/browse/OFBIZ-12216

Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <r00t4dm@gmail.com>
asd of MoyunSec V-Lab <root@thiscode.cc>
赖涵 <1044309102@qq.com>

References:
http://ofbiz.apache.org/download.html#vulnerabilities

_____________________________________________________________________

[CVE-2021-30128] Unsafe deserialization in OFBiz


Severity:
High, possible RCE

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.07

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version

Mitigation:
Upgrade to at least 17.12.07
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12212 &
OFBIZ-12221

Credit:
Litch1 from the Security Team of Alibaba Cloud <litch1chk@gmail.com>

References:
http://ofbiz.apache.org/download.html#vulnerabilities



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================