Service Notices

All Notices > Security Notices > Apache OFBiz Deserialization Remote Code Execution Vulnerability (CVE-2021-26295)

Apache OFBiz Deserialization Remote Code Execution Vulnerability (CVE-2021-26295)

Mar 22, 2021 GMT+08:00

I. Overview

Apache OFBiz has officially released a security notice that disclosed a deserialization remote code execution vulnerability (CVE-2021-26295). The input validation mechanism that processes serialized data is insecure. A remote attacker can pass specially crafted data to an application and execute arbitrary code on the target system.

Apache OFBiz is an open-source enterprise resource planning (ERP) system. If you are an Apache OFBiz user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache OFBiz earlier than 17.12.06

Secure version:

Apache OFBiz 17.12.06

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.