430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

RCE flaw in Apache OFBiz could allow to take over the ERP system

The Apache Software Foundation fixed a high severity remote code execution flaw in Apache OFBiz that could have allowed attackers to take over the ERP system. The Apache Software Foundation addressed last week a high severity vulnerability in Apache OFBiz, tracked as CVE-2021-26295, that could have allowed a remote, unauthenticated attacker to take over the […]

Apache OFBiz

The Apache Software Foundation fixed a high severity remote code execution flaw in Apache OFBiz that could have allowed attackers to take over the ERP system.

The Apache Software Foundation addressed last week a high severity vulnerability in Apache OFBiz, tracked as CVE-2021-26295, that could have allowed a remote, unauthenticated attacker to take over the ERP system.

Unsafe deserialization occurs when malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This category of issue could compromise the availability, authorization process, and bypass access control.

Apache OFBiz is an open-source enterprise resource planning (ERP) system that provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.

The issue is unsafe deserialization that affects versions prior to 17.12.06, it could allow unauthorized remote attackers to execute arbitrary code on the server and potentially take over the open-source ERP system.

“Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.” wrote Jacques Le Roux.

The flaw was reported by r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi’anxin Group, and Longofo at Knownsec 404 Team.

Admins have to upgrade their OFBiz install to the latest version (17.12.06) as soon as possible.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, OFBiz)

[adrotate banner=”5″]

[adrotate banner=”13″]