Apache addressed a remote code execution vulnerability affecting the Apache OFBiz open-source enterprise resource planning (ERP) system.
Apache fixed a high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5) affecting the Apache OFBiz open-source enterprise resource planning (ERP) system.
Apache OFBiz® is an open source product for the automation of enterprise processes that includes framework components and business applications.
The vulnerability is a Direct Request (‘Forced Browsing’) issue in Apache OFBiz. This flaw affects all versions of the software before 18.12.16.
“Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server.” reads the analysis published by Rapid7. “Exploitation is facilitated by bypassing previous patches for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856; this patch bypass vulnerability is tracked as CVE-2024-45195.”
Rapid7 pointed out that all three previous vulnerabilities stemmed from a shared issue: the ability to desynchronize the controller and view map state. None of the patches fully resolved this issue.
The vulnerability allowed authenticated threat actors to execute code or SQL queries, leading to remote code execution. The latest patch addresses this by ensuring that anonymous access is only permitted if the user is unauthenticated, rather than relying solely on authorization checks based on the target controller.
“In this patch, authorization checks were implemented for the view. This change validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller.” concludes Rapid7. “OFBiz users should update to the fixed version as soon as possible.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Apache OFBiz)