• Posted by: Eng. Donya Bino
• September 06, 2024

Apache OFBiz Patch Fixes High-Severity Remote Code Execution Flaws

A newly discovered security flaw in the Apache OFBiz open-source enterprise resource planning (ERP) system has been patched, preventing the risk of unauthenticated remote code execution on both Linux and Windows platforms. The vulnerability, identified as CVE-2024-45195, has been given a CVSS score of 7.5, marking it as a high-severity issue. It affects all versions of OFBiz before 18.12.16.

According to Ryan Emmons, a security researcher at Rapid7, "An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server." This flaw allows unauthorized users to execute malicious code remotely without needing to authenticate, putting organizations at risk.

Bypassing Previous Fixes

CVE-2024-45195 is a bypass for earlier vulnerabilities—CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856—that were previously addressed by the project maintainers. Despite these earlier fixes, vulnerabilities CVE-2024-32113 and CVE-2024-38856 have been actively exploited in the wild. The former was particularly dangerous as it was used to deploy the notorious Mirai botnet malware.

Rapid7 attributed the ongoing issues to a flaw in how the "controller and view map state" were synchronized, leading to the incomplete remediation of previous patches. The vulnerabilities could be abused to run arbitrary code or execute SQL queries on vulnerable systems without authentication.

New Patch Details

The latest patch for Apache OFBiz, version 18.12.16, corrects the issue by ensuring that anonymous access to views is only permitted if the user is unauthenticated, rather than relying solely on the target controller for authorization checks.

In addition to addressing CVE-2024-45195, the new version also fixes a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507), which has a CVSS score of 9.8. The SSRF flaw allows attackers to compromise systems by exploiting a specially crafted URL, leading to unauthorized access and potentially full system compromise.

Users are strongly advised to update to the latest version of Apache OFBiz to mitigate the risks posed by these vulnerabilities and ensure the security of their ERP systems.