The Apache Software Foundation on Friday addressed the infamous Java serialization vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning (ERP) system.
Tracked as CVE-2021-26295, the flaw affects all versions of the software prior to 17.12.06 and employs an “unsafe deserialization” as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.
Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295).
PATCH NOW
