Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Related Vulnerabilities: CVE-2021-29200  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: "jleroux () apache org" &lt;jleroux () apache org&gt;

Date: Tue, 27 Apr 2021 21:00:03 +0200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity:
High, possible RCE

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.07

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
An unauthenticated user can perform a RCE attack

Mitigation:
Upgrade to at least 17.12.07
or apply one of the patches at https://issues.apache.org/jira/browse/OFBIZ-12216

Credit:
r00t4dm at Cloud-Penetrating Arrow Lab &lt;r00t4dm () gmail com&gt;
asd of MoyunSec V-Lab &lt;root () thiscode cc&gt;
赖涵 &lt;1044309102 () qq com&gt;

References:
http://ofbiz.apache.org/download.html#vulnerabilities

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI jleroux () apache org (Apr 27)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started