Apache OFBiz users urged to install latest version fast

Patching icon
Source: NiroDesign | Getty Images

Software developers using the open-source Apache OFBiz enterprise resource management and e-commerce suite are being urged to apply the latest security update after the discovery of a critical vulnerability that could allow a business to be hacked.

In technical terms, the vulnerability is called a Java serialization problem. Briefly, serialization converts a Java object into a byte stream which can be saved into a file on a local disk or sent over the network to any other machine. Deserialization reverses the process, restoring the serialized byte stream to an object again. This particular bug in OFBiz allows unsafe deserialization in versions prior to 17.12.06.

“An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz,” notes the description of the problem, tracked as CVE-2021-2629, in the NIST vulnerability database.

The patch can be found here.

Apache OFBiz is a Java-based suite of business applications including accounting, warehouse and inventory management, oversight of manufacturing, customer relationship management, order management and e-commerce.

Users can also set up product and catalog management, promotion and pricing management, supply chain fulfillment and payment systems.

As a free suite and framework, it’s appealing to small businesses and not-for-profit organizations. Consulting firms make money from OFBiz by offering customization and support.

UPDATE: In addition, today Adobe posted updates to its ColdFusion web application development platform to cover a critical vulnerability. The updates are for versions 2021, 2016 and 2018.

Adobe also recommends updating the ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the latest ColdFusion security update without a corresponding JDK update won’t secure the server.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News