CVE-2021-26295: 
Apache OFBiz vulnerability analysis and mitigation

CVE-2021-26295 is a critical vulnerability in Apache OFBiz versions prior to 17.12.06, discovered in March 2021. The vulnerability stems from unsafe deserialization that allows an unauthenticated attacker to successfully take over Apache OFBiz (NVD).

The vulnerability is related to an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes arbitrary Java objects. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The YSoSerial ROME gadget chain can be used to exploit this vulnerability by submitting a payload to the server that, after being deserialized, results in command execution (AttackerKB).

The vulnerability allows an unauthenticated attacker to achieve complete takeover of the Apache OFBiz system. The impact is rated as critical with high severity across confidentiality, integrity, and availability (NVD).

The primary mitigation is to upgrade Apache OFBiz to version 17.12.06 or later, which contains the fix for this vulnerability. The Apache team has implemented a blacklist (later renamed to denylist) in Java serialization as part of the fix (NVD).