Critical remote code execution flaw in Apache OFBiz patched

News
By
published

The bug is an arbitrary code execution flaw

A padlock resting on a keyboard.
(Image credit: Passwork)

Apache released a patch for a critical severity vulnerability in its OFBiz software. The bug is an arbitrary code execution flaw, allowing threat actors to run any code on either Windows, or Linux servers.

Apache OFBiz (short for Open For Business) is an open-source enterprise resource planning (ERP) system that provides a suite of applications designed to automate and manage a wide range of business processes. It offers a comprehensive platform for businesses to handle operations such as customer relationship management (CRM), supply chain management, inventory management, accounting, e-commerce, and more.

According to cybersecurity researchers Rapid7, the bug stems from a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks. "An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," the researchers explained.

Mitigations and fixes

The vulnerability is now tracked as CVE-2024-45195, and carries a severity score of 7.5 (high). All versions prior to 18.12.16 were vulnerable, and in the latest version, Apache addressed the issue by adding authorization checks. Users are advised to apply the patch without hesitation.

The researchers further explained that this is not the first vulnerability, or the first patch, to address the very same kind of flaw. Last year, Apache released three patches for three flaws that all had the same root cause: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.

That being said, CVE-2024-45195 is a patch bypass for the three older ones.

“All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution without authentication,” the researcher concluded.

Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that one of the three flaws - CVE-2024-32113, was being exploited in attacks, and added it to the Known Exploited Vulnerabilities (KEV) catalog.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.