Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers.
OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications.
Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks.
“An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” security researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code.
The Apache security team patched the vulnerability in version 18.12.16 by adding authorization checks. OFBiz users are advised to upgrade their installations as soon as possible to block potential attacks.
Bypass for previous security patches
As Emmons further explained today, CVE-2024-45195 is a patch bypass for three other OFBiz vulnerabilities that have been patched since the start of the year and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.
“Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause,” Emmons added.
All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution without authentication.
In early August, CISA warned that the CVE-2024-32113 OFBiz vulnerability (patched in May) was being exploited in attacks, days after SonicWall researchers published technical details on the CVE-2024-38856 pre-authentication RCE bug.
CISA also added the two security bugs to its catalog of actively exploited vulnerabilities, requiring federal agencies to patch their servers within three weeks as mandated by the binding operational directive (BOD 22-01) issued in November 2021.
Even though BOD 22-01 only applies to Federal Civilian Executive Branch (FCEB) agencies, CISA urged all organizations to prioritize patching these flaws to thwart attacks that could target their networks.
In December, attackers started exploiting another OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) using public proof of concept (PoC) exploits to find vulnerable Confluence servers.