CVE-2021-26295
9.8 CRITICAL
📋 TL;DR
Apache OFBiz versions before 17.12.06 contain an unsafe deserialization vulnerability in the SOAP component. Unauthenticated attackers can exploit this to execute arbitrary code and take complete control of affected systems. Any organization running vulnerable Apache OFBiz instances is at risk.
💻 Affected Systems
Products:
- Apache OFBiz
Versions: All versions prior to 17.12.06
Operating Systems: All platforms running Java
Default Config Vulnerable:
⚠️ Yes
Notes: SOAP component must be enabled, which is common in default configurations.
📦 What is this software?
Ofbiz by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing remote code execution, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to web server compromise, data exfiltration, and potential ransomware deployment.
If Mitigated
Limited impact if proper network segmentation and application firewalls block exploitation attempts.
🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable.
🏢 Internal Only: HIGH - Internal systems remain vulnerable to insider threats or compromised internal hosts.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Public exploit code available on Packet Storm and other sources. Attack requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.12.06 or later
Vendor Advisory: https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E
Restart Required: Yes
Instructions:
1. Download Apache OFBiz 17.12.06 or later from official site. 2. Backup current installation and data. 3. Stop OFBiz service. 4. Replace with patched version. 5. Restart OFBiz service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable SOAP Component
allTemporarily disable the vulnerable SOAP component if not required for business operations.
Edit ofbiz-component.xml files to remove or comment SOAP component references
Network Access Control
linuxRestrict access to OFBiz SOAP endpoints using firewall rules.
iptables -A INPUT -p tcp --dport [OFBiz-port] -s [allowed-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [OFBiz-port] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OFBiz from critical systems
- Deploy web application firewall with deserialization attack detection rules
🔍 How to Verify
Check if Vulnerable:
Check OFBiz version in admin interface or examine version files in installation directory.Check Version:
grep -r "version" ${OFBIZ_HOME}/framework/base/config/*.properties | grep -i ofbizVerify Fix Applied:
Confirm version is 17.12.06 or later and test SOAP functionality if required.📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors in logs
- Unexpected process execution from OFBiz user
- SOAP requests with serialized Java objects
Network Indicators:
- HTTP POST requests to /webtools/control/SOAPService with serialized data
- Outbound connections from OFBiz server to unknown IPs
SIEM Query:
source="ofbiz.log" AND ("deserialization" OR "SOAPService" AND "POST")🔗 References
- http://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html
- https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r3ee005dd767cd83f522719423f5e7dd316f168ddbd1dc51a13d4e244%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rab718cfe6468085d7560c0c1ae816841e175886199f42e36efb8d735%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe512e5ccd6b11169c6379daa1234bc805f3d53c5a38224e956295ce%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rc9bd0d3d794dc370bc70585960841868cb29b92dcc80552b84ca2599%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rec5e9fdcdca13099cfb29f632333f44ad1dd60d90f67b90434e4467a%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/reccf8c8a58337ce7c035495d3d82fbc549e97036a9789a2a7d9cccf6%40%3Cdev.ofbiz.apache.org%3E
- http://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html
- https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r3ee005dd767cd83f522719423f5e7dd316f168ddbd1dc51a13d4e244%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rab718cfe6468085d7560c0c1ae816841e175886199f42e36efb8d735%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe512e5ccd6b11169c6379daa1234bc805f3d53c5a38224e956295ce%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rc9bd0d3d794dc370bc70585960841868cb29b92dcc80552b84ca2599%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rec5e9fdcdca13099cfb29f632333f44ad1dd60d90f67b90434e4467a%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/reccf8c8a58337ce7c035495d3d82fbc549e97036a9789a2a7d9cccf6%40%3Cdev.ofbiz.apache.org%3E
