Apache OFBiz SOAPService Deserialization RCE
Description
Apache OFBiz versions prior to 17.12.06 contain a critical Java deserialization vulnerability in the unauthenticated SOAP endpoint located at /webtools/control/SOAPService. This flaw allows remote attackers to deserialize malicious Java objects without authentication, leading to arbitrary code execution on the server. The vulnerability exists because the SOAP service improperly handles untrusted serialized data without adequate validation or filtering.
Remediation
Take the following steps to remediate this vulnerability:<br/><br/><strong>1. Immediate Action:</strong><br/>• Upgrade Apache OFBiz to version 17.12.06 or later, which contains the fix for CVE-2021-26295<br/>• If immediate patching is not possible, disable or restrict access to the <strong>/webtools/control/SOAPService</strong> endpoint using firewall rules or web application firewall (WAF) policies<br/><br/><strong>2. Verification:</strong><br/>• After upgrading, verify that the SOAP endpoint is no longer vulnerable by testing with security scanning tools<br/>• Review application logs for any suspicious activity or exploitation attempts prior to patching<br/><br/><strong>3. Long-term Security:</strong><br/>• Implement network segmentation to limit access to administrative endpoints<br/>• Enable authentication and authorization controls for all SOAP services<br/>• Regularly monitor Apache OFBiz security advisories and apply patches promptly<br/><br/>Download the latest version from the official Apache OFBiz website at https://ofbiz.apache.org/