Update for Apache OFBiz Resolves Critical Vulnerability Causing Remote Code Execution
An updated patch has rectified a significant security issue in the Apache OFBiz open-source enterprise resource planning (ERP) system, which could potentially result in unauthenticated remote code execution on Linux and Windows systems.
The critical flaw, labeled as CVE-2024-45195 (CVSS score: 7.5), impacts all iterations of the software released before version 18.12.16.
“A threat actor lacking valid credentials can exploit the absence of view authorization checks in the web application to execute arbitrary code on the server,” stated Ryan Emmons, a security researcher at Rapid7, in a recent publication.
It is important to highlight that CVE-2024-45195 represents a way to bypass a series of vulnerabilities, namely CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were resolved by project maintainers in the preceding months.
Both CVE-2024-32113 and CVE-2024-38856 have already been actively exploited in real-world scenarios, with the former being utilized to distribute the Mirai botnet malware.
Rapid7 indicated that all three previous flaws originate from the “inability to synchronize the controller and view map state,” a persistent issue that was never completely fixed in any of the previous updates.
One of the consequences of this security flaw is the potential for attackers to execute code or SQL queries and attain remote code execution without needing authentication.
The latest update ensures that “a view must allow anonymous access if a user is not authenticated, rather than solely relying on authorization checks tied to the target controller.”
Additionally, Apache OFBiz version 18.12.16 resolves a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS score: 9.8) that could enable unauthorized access and system compromise by exploiting a specially crafted URL.
About Author
