An unsafe Java deserialization issue that could be exploited to execute code remotely without authentication is one of the vulnerabilities addressed by the new Apache OFBiz update.
Apache OFBiz is an open source enterprise resource planning (ERP) system that provides a suite of applications to automate business processes within enterprise environments and can be used in any industry. It is a Java-based web platform.
OFBiz was one of the platforms affected by a Java serialisation vulnerability discovered and published in 2015, which affected OFBiz’s Apache Commons Collections and Apache Groovy libraries.
Although patches for both libraries were released, the risks of using RMI, JNDI, JMX, or Spring – as well as probably other Java classes – were not removed. A whitelist was later added to provide additional protections against potential Java serialisation vulnerabilities.
Apache added the ability to reject objects after resolving a problem (CVE-2019-0189) with the ObjectInputStream class, which allowed users to add their own objects/classes to the list of objects used by OFBiz OOTB (Out Of The Box).
The patch for CVE-2021-26295 is included in Apache OFBiz 17.12.06, the sixth and final update of the 17.12 series, and adds a “blacklist (to be renamed soon to denylist) in Java serialisation.”
The commit that fixes the security issue is tracked as OFBIZ-12167 and “adds an example based on RMI, which is considered to be a problem,” according to OFBiz expert developer Jacques Le Roux.
He describes that the unsafe deserialization could be used to remotely execute code, effectively allowing an unauthenticated attacker to take control of Apache OFBiz. Potential manipulation attempts can be avoided by updating OFBiz to the 17.12.06 set.