A new high-severity vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system has been patched, addressing a flaw that could enable unauthenticated remote code execution on Linux and Windows systems. Tracked as CVE-2024-45195 with a CVSS score of 7.5, this flaw affects all versions of Apache OFBiz prior to 18.12.16.
According to Rapid7 security researcher Ryan Emmons, the vulnerability allows attackers without valid credentials to exploit missing view authorization checks, potentially executing arbitrary code on the server. This latest flaw is a bypass for several previously addressed issues, including CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, two of which have been actively exploited in the wild to deploy the Mirai botnet malware.
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution https://t.co/S3Y1fVi0Uj
— DeepBlue Security & Intelligence (@DeepBlueInfoSec) September 6, 2024
Rapid7 pointed out that these vulnerabilities stem from the ability to desynchronize the controller and view map state, a problem that prior patches failed to fully resolve. Attackers could exploit this issue to execute remote code or SQL queries without authentication.
The latest patch enforces authorization checks to prevent unauthorized access, validating that a view should allow anonymous access only if a user is unauthenticated. Additionally, the patch addresses a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507) with a CVSS score of 9.8, which could allow unauthorized access through a specially crafted URL.
Users are strongly urged to update to Apache OFBiz version 18.12.16 to secure their systems against these vulnerabilities.
Keeping software updated is key to preventing potential exploits and ensuring system security.
Sandhya Goswami
Sandhya is a contributing author at Cloudways, specializing in content promotion and performance analysis. With a strong analytical approach and a keen ability to leverage data-driven insights, Sandhya excels in measuring the success of organic marketing initiatives.
