Apache OFBiz users urged to install latest version fast

Software developers using the open-source Apache OFBiz enterprise resource management and e-commerce suite are being urged to apply the latest security update after the discovery of a critical vulnerability that could allow a business to be hacked.

In technical terms, the vulnerability is called a Java serialization problem. Briefly, serialization converts a Java object into a byte stream which can be saved into a file on a local disk or sent over the network to any other machine. Deserialization reverses the process, restoring the serialized byte stream to an object again. This particular bug in OFBiz allows unsafe deserialization in versions prior to 17.12.06.

“An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz,” notes the description of the problem, tracked as CVE-2021-2629, in the NIST vulnerability database.

The patch can be found here.

Apache OFBiz is a Java-based suite of business applications including accounting, warehouse and inventory management, oversight of manufacturing, customer relationship management, order management and e-commerce.

Users can also set up product and catalog management, promotion and pricing management, supply chain fulfillment and payment systems.

As a free suite and framework, it’s appealing to small businesses and not-for-profit organizations. Consulting firms make money from OFBiz by offering customization and support.

UPDATE: In addition, today Adobe posted updates to its ColdFusion web application development platform to cover a critical vulnerability. The updates are for versions 2021, 2016 and 2018.

Adobe also recommends updating the ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the latest ColdFusion security update without a corresponding JDK update won’t secure the server.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now