Apache has resolved a critical security flaw in its open-source OFBiz (Open For Business) software, which previously allowed attackers to run arbitrary code on vulnerable Linux and Windows servers.
OFBiz is a suite of business applications for customer relationship management (CRM) and enterprise resource planning (ERP) that also serves as a Java-based web development framework.
Identified as CVE-2024-45195 by Rapid7 security researchers, this remote code execution vulnerability arises from a forced browsing issue that exposes restricted paths to unauthenticated access.
“Attackers without valid credentials could exploit missing view authorization checks in the web application to execute arbitrary code on the server,” security researcher Ryan Emmons explained in a report shared on Thursday, which included proof-of-concept exploit code.
Apache’s security team addressed the vulnerability in version 18.12.16 by implementing authorization checks. OFBiz users are urged to update their systems promptly to prevent potential attacks.
Bypass for previous security patches
Emmons further explained that CVE-2024-45195 is a patch bypass for three other OFBiz vulnerabilities, patched earlier this year and tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.
“From our analysis, these three vulnerabilities share the same root cause and are, essentially, the same issue,” Emmons added.
These vulnerabilities stem from a controller-view map fragmentation flaw, allowing attackers to execute code or SQL queries and gain remote code execution without authentication.
In early August, CISA issued a warning about the CVE-2024-32113 OFBiz vulnerability (patched in May), noting that it was being actively exploited in attacks. This came shortly after SonicWall researchers disclosed technical details on the CVE-2024-38856 pre-authentication RCE vulnerability.
CISA also added both security issues to its catalog of actively exploited vulnerabilities, mandating that federal agencies patch their systems within three weeks, in accordance with the binding operational directive (BOD 22-01) issued in November 2021.
Although BOD 22-01 only applies to Federal Civilian Executive Branch (FCEB) agencies, CISA urged all organizations to prioritize patching these flaws to protect their networks from potential attacks.
In December, attackers began exploiting another OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070), leveraging public proof-of-concept exploits to identify vulnerable Confluence servers.
Source: BleepingComputer, Sergiu Gatlan
