RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
CVE-2021-26295

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 22 March 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 97%

Summary

Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

Affected Version(s)

Apache OFBiz Apache OFBiz 17.12.01 to 17.12.05

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-26295
Created by yumusb

ofbiz-poc
Created by yuaneuro

CVE-2021-26295-Apache-OFBiz
Created by rakjong

References

https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b...

x_refsource_MISC

https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e...

mailing-listx_refsource_MLIST

EPSS Score

97% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 13, 2021
👾
Exploit known to exist
May 13, 2021
Vulnerability published
Mar 22, 2021
Vulnerability Reserved
Jan 28, 2021

Collectors

NVD DatabaseMitre Database4 Proof of Concept(s)

Credit

Apache OFBiz would like to thank the first report from "r00t4dm at Cloud-Penetrating Arrow Lab and Longofo at Knownsec 404 Team" and the second report by MagicZero from SGLAB of Legendsec at Qi'anxin Group.