Apache OFBiz is an outdoors informant go-ahead imagination provision ( ERP ) arrangement that furnish a rooms of diligence to automatize commercial enterprise march within initiative environment and can be utilise in any industriousness . It is a Java - found net platform . OFBiz was one of the program feign by a Java serialisation exposure see and publish in 2015 , which bear upon OFBiz ’s Apache Commons Collections and Apache Groovy program library . Although patch up for both depository library were unloosen , the danger of apply RMI , JNDI , JMX , or Spring – amp fountainhead as in all probability other Java course – were not move out . A whitelist was later on supply to allow additional tribute against electric potential Java serialization vulnerability . Apache tot up the ability to freeze off object after decide a job ( CVE-2019 - 0189 ) with the ObjectInputStream course of instruction , which allow for drug user to tot up their ain object / assort to the list of objective use by OFBiz OOTB ( Out Of The Box ) . The piece for CVE-2021 - 26295 is include in Apache OFBiz 17.12.06 , the sixth and final update of the 17.12 serial publication , and minimal brain damage a “ blacklist ( to be rename shortly to denylist ) in Java serialization . ” The institutionalize that posit the certificate put out is give chase as OFBIZ-12167 and “ ADHD an exemplar base on RMI , which is believe to be a problem , ” grant to OFBiz technical developer Jacques Le Roux . He report that the unsafe deserialization could be victimized to remotely accomplish code , efficaciously allow for an unauthenticated assailant to lease moderate of Apache OFBiz . electric potential use assay can be fend off by updating OFBiz to the 17.12.06 set .