Apache OFBiz is an spread out germ endeavor imagination planning ( ERP ) organization that bring home the bacon a suite of application to automatise stage business work within enterprisingness environs and can be practice in any industry . It is a Java - ground net program . OFBiz was one of the chopine move by a Java serialisation exposure chance upon and publish in 2015 , which sham OFBiz ’s Apache Commons Collections and Apache Groovy subroutine library . Although bandage for both program library were release , the gamble of using RMI , JNDI , JMX , or Spring – ampere advantageously as probably early Java socio-economic class – were not slay . A whitelist was former add up to render additional protective cover against possible Java serialisation exposure . Apache total the power to turn away objective after conclude a job ( CVE-2019 - 0189 ) with the ObjectInputStream year , which appropriate exploiter to add up their possess target / course to the list of target put-upon by OFBiz OOTB ( Out Of The Box ) . The speckle for CVE-2021 - 26295 is include in Apache OFBiz 17.12.06 , the 6th and terminal update of the 17.12 serial publication , and sum up a “ shitlist ( to be rename before long to denylist ) in Java serialization . ” The trust that determine the surety publish is get over as OFBIZ-12167 and “ tally an lesson free-base on RMI , which is deal to be a job , ” harmonize to OFBiz skillful developer Jacques Le Roux . He discover that the dangerous deserialization could be utilize to remotely perform code , effectively permit an unauthenticated attacker to pack check of Apache OFBiz . potency manipulation endeavor can be forfend by updating OFBiz to the 17.12.06 set .