The developers of the Apache Software Foundation have fixed a vulnerability in Apache OFBiz that could allow an unauthenticated attacker to remotely take control of a vulnerable open source ERP system (Enterprise Resource Planning).
OFBiz is a Java-based platform designed to automate various corporate processes. The platform offers a wide range of functions including, for example, accounting, customer relationship management, manufacturing operations management, order management, supply chain control and a warehouse management system.
The vulnerability received the identifier CVE-2021-26295 and affects all versions of OFBiz up to 12/17/06 . The issue is related to insecure deserialization and allows unauthorized remote attackers to directly execute arbitrary code on the server.
The developers explained that an attacker can change the serialized data by injecting arbitrary code into it, as a result, during deserialization, this can lead to remote execution of this code. That is, the bug can be used to fully capture control over Apache OFBiz.