OFBiz OFBiz - User

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

jleroux@apache.org
Severity:
High, possible RCE

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.07

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
An unauthenticated user can perform a RCE attack

Mitigation:
Upgrade to at least 17.12.07
or apply one of the patches at https://issues.apache.org/jira/browse/OFBIZ-12216

Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <[hidden email]>
asd of MoyunSec V-Lab <[hidden email]>
赖涵 <[hidden email]>

References:
http://ofbiz.apache.org/download.html#vulnerabilities
Free forum by Nabble Edit this page