Apache Addresses Critical Security Flaw in OFBiz Software
Apache has recently resolved a significant security issue within its open-source OFBiz (Open For Business) software, which poses a risk of allowing unauthorized individuals to execute arbitrary code on susceptible Linux and Windows servers.
Understanding OFBiz
OFBiz is an integrated suite of applications designed for customer relationship management (CRM) and enterprise resource planning (ERP). Additionally, it serves as a Java-based web framework that facilitates the development of web applications.
Details of the Vulnerability
The vulnerability, identified as CVE-2024-45195 and uncovered by security experts at Rapid7, is classified as a remote code execution flaw. This issue arises from a forced browsing vulnerability that exposes restricted paths to unauthenticated direct request attacks.
Ryan Emmons, a security researcher at Rapid7, elaborated on this matter in his report: “An attacker lacking valid credentials can exploit the absence of view authorization checks within the web application to execute arbitrary code on the server.” The report also included proof-of-concept exploit code demonstrating this vulnerability.
In response to this critical threat, Apache’s security team implemented necessary fixes in version 18.12.16 by introducing additional authorization checks. Users of OFBiz are strongly encouraged to update their systems promptly to mitigate potential risks.
Revisiting Previous Security Measures
Emmons further noted that CVE-2024-45195 represents a bypass for three earlier vulnerabilities associated with OFBiz that have been addressed since January 2024. These vulnerabilities are tracked under CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.
“Our analysis indicates that these three vulnerabilities share similar root causes,” Emmons stated. All four issues stem from fragmentation problems within the controller-view mapping system that allow attackers to execute both code and SQL queries without requiring authentication.
Recent Alerts from CISA
In early August 2023, CISA issued warnings regarding active exploitation attempts targeting the previously patched CVE-2024-32113 vulnerability (fixed in May). This alert followed SonicWall researchers’ publication detailing another pre-authentication remote code execution bug identified as CVE-2024-38856.
CISA subsequently added these two vulnerabilities into its catalog of actively exploited threats—mandating federal agencies address these flaws within three weeks per their binding operational directive (BOD 22–01), established in November 2021.
While BOD 22–01 specifically pertains only to Federal Civilian Executive Branch agencies, CISA has urged all organizations—regardless of sector—to prioritize patching these vulnerabilities proactively in order to protect against potential network intrusions.
Emerging Threats
In December 2023, cybercriminals began exploiting another pre-authentication remote code execution flaw related to OFBiz known as CVE–2023–49070. Attackers utilized publicly available proof-of-concept exploits aimed at identifying vulnerable Confluence servers through this method.
