CVE-2021-30128
📋 TL;DR
Apache OFBiz versions before 17.12.07 contain an unsafe deserialization vulnerability that allows remote attackers to execute arbitrary code on affected systems. This affects all deployments running vulnerable versions of Apache OFBiz, an open-source enterprise resource planning system. Attackers can exploit this without authentication to gain complete control of the server.
💻 Affected Systems
- Apache OFBiz
📦 What is this software?
Ofbiz by Apache
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Remote code execution resulting in web shell installation, credential harvesting, and backdoor persistence on the server.
If Mitigated
Exploitation prevented through proper network segmentation and patching, limiting impact to isolated systems.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute. Multiple proof-of-concept implementations exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.12.07 and later
Vendor Advisory: https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cannounce.apache.org%3E
Restart Required: Yes
Instructions:
1. Backup your OFBiz instance and database. 2. Download OFBiz version 17.12.07 or later from the Apache website. 3. Replace the vulnerable OFBiz installation with the patched version. 4. Restart the OFBiz service. 5. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to OFBiz instances using firewalls to only allow trusted sources.
Web Application Firewall
allDeploy a WAF with rules to detect and block deserialization attacks.
🧯 If You Can't Patch
- Isolate the OFBiz instance in a separate network segment with strict firewall rules
- Implement application-level monitoring and intrusion detection for suspicious deserialization activity
🔍 How to Verify
Check if Vulnerable:
Check the OFBiz version number in the web interface or configuration files. If version is below 17.12.07, the system is vulnerable.Check Version:
Check the OFBiz version in the web admin interface or examine the ofbiz-component.xml files for version information.Verify Fix Applied:
Confirm the version is 17.12.07 or higher and test that the application functions normally after patching.📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors in logs
- Suspicious HTTP POST requests to OFBiz endpoints
- Unexpected process execution from OFBiz context
Network Indicators:
- HTTP requests containing serialized Java objects to OFBiz endpoints
- Outbound connections from OFBiz server to unknown external IPs
SIEM Query:
source="ofbiz.log" AND ("deserialization" OR "java.io.ObjectInputStream" OR "RMI" OR "JRMP")🔗 References
- http://www.openwall.com/lists/oss-security/2021/04/27/5
- https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rab718cfe6468085d7560c0c1ae816841e175886199f42e36efb8d735%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb82f41de3c44bb644632531f79649046ca76afeab25a2bdb9991ab84%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe512e5ccd6b11169c6379daa1234bc805f3d53c5a38224e956295ce%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/04/27/5
- https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rab718cfe6468085d7560c0c1ae816841e175886199f42e36efb8d735%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb82f41de3c44bb644632531f79649046ca76afeab25a2bdb9991ab84%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe512e5ccd6b11169c6379daa1234bc805f3d53c5a38224e956295ce%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E
