RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
CVE-2021-29200

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 27 April 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 92%

Summary

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

Affected Version(s)

Apache OFBiz Apache OFBiz < 17.12.07

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-29200
Created by freeide

References

https://lists.apache.org/thread.html/re21d25d9fb89e36cea9...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2021/04/27/4

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r708351f1a8af7adb887...

mailing-listx_refsource_MLIST

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 11, 2021
👾
Exploit known to exist
May 11, 2021
Vulnerability published
Apr 27, 2021
Vulnerability Reserved
Mar 25, 2021

Credit

Apache OFBiz would like to thank the first report from "r00t4dm at Cloud-Penetrating Arrow Lab, asd of MoyunSec V-Lab <[email protected]> and 赖涵 <[email protected]> a bit later