Software developers using the open-source Apache OFBiz enterprise resource management and e-commerce suite are being urged to apply the latest security update after the discovery of a critical vulnerability that could allow a business to be hacked.
In technical terms, the vulnerability is called a Java serialization problem. Briefly, serialization converts a Java object into a byte stream which can be saved into a file on a local disk or sent over the network to any other machine. Deserialization reverses the process, restoring the serialized byte stream to an object again. This particular bug in OFBiz allows unsafe deserialization in versions prior to 17.12.06.
“An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz,” notes the description of the problem, tracked as CVE-2021-2629, in the NIST vulnerability database.
Apache OFBiz is a Java-based suite of business applications including accounting, warehouse and inventory management, oversight of manufacturing, customer relationship management, order management and e-commerce.
Users can also set up product and catalog management, promotion and pricing management, supply chain fulfillment and payment systems.
As a free suite and framework, it’s appealing to small businesses and not-for-profit organizations. Consulting firms make money from OFBiz by offering customization and support.
UPDATE: In addition, today Adobe posted updates to its ColdFusion web application development platform to cover a critical vulnerability. The updates are for versions 2021, 2016 and 2018.
Adobe also recommends updating the ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the latest ColdFusion security update without a corresponding JDK update won’t secure the server.