He delineate that the unsafe deserialization could be exploited to remotely run codification , in effect grant an unauthenticated assaulter to take controller of Apache OFBiz . electric potential handling set about can be quash by update OFBiz to the 17.12.06 set . Apache OFBiz is an unfastened informant initiative resourcefulness provision ( ERP ) system of rules that bring home the bacon a retinue of covering to automate patronage appendage within enterprisingness environs and can be expend in any industry . Apache tot the power to pooh-pooh aim after solve a trouble ( CVE-2019 - 0189 ) with the ObjectInputStream course , which give up substance abuser to add together their own objective / course of study to the leaning of objective expend by OFBiz OOTB ( Out Of The Box ) . It is a Java - free-base network chopine . Although while for both library were unblock , the lay on the line of use RMI , JNDI , JMX , or Spring – a advantageously as credibly other Java grade – were not transfer . OFBiz was one of the program strike by a Java serialisation exposure let on and write in 2015 , which unnatural OFBiz ’s Apache Commons Collections and Apache Groovy subroutine library . The maculation for CVE-2021 - 26295 is admit in Apache OFBiz 17.12.06 , the sixth and terminal update of the 17.12 series , and bestow a “ blacklist ( to be rename soon to denylist ) in Java serialization . ” The consecrate that repair the security release is chase after as OFBIZ-12167 and “ sum an exemplar free-base on RMI , which is consider to be a job , ” harmonize to OFBiz skilful developer Jacques Le Roux . A whitelist was posterior tally to put up extra shelter against potential difference Java serialization exposure .