Critical Apache OFBiz Flaw Allows Hackers to Execute Code Remotely
Apache has addressed a critical remote code execution (RCE) vulnerability in its open-source OFBiz (Open For Business) software, a suite of enterprise business applications used for customer relationship management (CRM) and enterprise resource planning (ERP). The flaw, identified as CVE-2024-45195, allows attackers to execute arbitrary code on Linux and Windows servers running OFBiz.
About the Vulnerability
Discovered by Rapid7 security researchers, the vulnerability stems from a forced browsing weakness, which exposes restricted paths to unauthenticated direct request attacks. This flaw allows attackers to bypass security measures and gain access to unauthorized areas of the web application, leading to remote code execution.
“An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” security researcher Ryan Emmons explained. The report also includes proof-of-concept (PoC) exploit code demonstrating the vulnerability.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Patch and Recommendation
The Apache security team has patched the vulnerability in version 18.12.16 by adding necessary authorization checks. OFBiz users are strongly advised to update their installations to prevent potential exploitation of this critical flaw.
Bypass of Previous Patches
CVE-2024-45195 is a bypass for three previously patched vulnerabilities, tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. All these flaws share a common root cause: a controller-view map fragmentation issue that attackers can exploit to achieve remote code execution without authentication.
Security researcher Ryan Emmons emphasized that the latest vulnerability highlights the persistence of the underlying issue, despite previous patches. Attackers can execute code or SQL queries using these flaws, posing a significant risk to unpatched systems.
Trending: 10 Misconceptions about Hacking
Trending: OSINT Tool: cloud_enum
Active Exploits and CISA Warnings
In August, the Cybersecurity and Infrastructure Security Agency (CISA) warned that the CVE-2024-32113 vulnerability was being actively exploited in attacks. The agency added it to its catalog of known exploited vulnerabilities, requiring federal agencies to patch their systems within a set timeframe under the Binding Operational Directive (BOD 22-01).
Although this mandate specifically applies to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly recommends that all organizations prioritize patching these vulnerabilities to protect their networks from potential attacks.
Attackers have also exploited previous OFBiz RCE vulnerabilities, such as CVE-2023-49070, using publicly available proof-of-concept exploits.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
