Service Notices
Apache OFBiz Deserialization Remote Code Execution Vulnerability (CVE-2021-29200 and CVE-2021-30128)
Apr 29, 2021 GMT+08:00
I. Overview
Apache OFBiz has released security notices about two deserialization remote code execution vulnerabilities (CVE-2021-29200 and CVE-2021-30128) in versions earlier than 17.12.07. Remote attackers can construct malicious requests to exploit the vulnerabilities to execute arbitrary code on the target system.
Apache OFBiz is an open-source enterprise resource planning (ERP) system. If you are an Apache OFBiz user, check your versions and implement timely security hardening.
For more information about the vulnerabilities, visit the following websites:
https://www.mail-archive.com/announce@apache.org/msg06506.html
https://www.mail-archive.com/announce@apache.org/msg06507.html
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache OFBiz earlier than 17.12.07
Secure versions:
Apache OFBiz 17.12.07
IV. Vulnerability Handling
This vulnerability has been fixed in newly released versions. If your service version falls into the affected range, upgrade it to a latest secure version.
https://ofbiz.apache.org/download.html#vulnerabilities
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.