Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apache Makes Another Attempt at Patching Exploited RCE in OFBiz

The latest Apache OFBiz update patches CVE-2024-45195, a bypass of a recently disclosed remote code execution bug exploited in attacks.

Apache OFBiz exploited

Apache this week announced a security update for the open source enterprise resource planning (ERP) system OFBiz, to address two vulnerabilities, including a bypass of patches for two exploited flaws.

The bypass, tracked as CVE-2024-45195, is described as a missing view authorization check in the web application, which allows unauthenticated, remote attackers to execute code on the server. Both Linux and Windows systems are affected, Rapid7 warns.

According to the cybersecurity firm, the bug is related to three recently addressed remote code execution (RCE) flaws in Apache OFBiz (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856), including two that are known to have been exploited in the wild.

Rapid7, which identified and reported the patch bypass, says that the three vulnerabilities are, in essence, the same security defect, as they have the same root cause.

Disclosed in early May, CVE-2024-32113 was described as a path traversal that allowed an attacker to “interact with an authenticated view map via an unauthenticated controller” and access admin-only view maps to execute SQL queries or code. Exploitation attempts were seen in July. 

The second flaw, CVE-2024-36104, was disclosed in early June, also described as a path traversal. It was addressed with the removal of semicolons and URL-encoded periods from the URI.

In early August, Apache drew attention to CVE-2024-38856, described as an incorrect authorization security defect that could lead to code execution. In late August, the US cyber defense agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog.

All three issues, Rapid7 says, are rooted in controller-view map state fragmentation, which occurs when the application receives unexpected URI patterns. The payload for CVE-2024-38856 works for systems affected by CVE-2024-32113 and CVE-2024-36104, “since the root cause is the same for all three”.

Advertisement. Scroll to continue reading.

The bug was addressed with permission checks for two view maps targeted by previous exploits, preventing the known exploit techniques, but without resolving the underlying cause, namely “the ability to fragment the controller-view map state”.

“All three of the previous vulnerabilities were caused by the same shared underlying issue, the ability to desynchronize the controller and view map state. That flaw was not fully addressed by any of the patches,” Rapid7 explains.

The cybersecurity firm targeted another view map to exploit the software without authentication and attempt to dump “usernames, passwords, and credit card numbers stored by Apache OFBiz” to an internet-accessible folder.

Apache OFBiz version 18.12.16 was released this week to resolve the vulnerability by implementing additional authorization checks.

“This change validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller,” Rapid7 explains.

The OFBiz security update also addresses CVE-2024-45507, described as a server-side request forgery (SSRF) and code injection flaw.

Users are advised to update to Apache OFBiz 18.12.16 as soon as possible, considering that threat actors are targeting vulnerable installations in the wild.

Related: Apache HugeGraph Vulnerability Exploited in Wild

Related: Critical Apache OFBiz Vulnerability in Attacker Crosshairs

Related: Misconfigured Apache Airflow Instances Expose Sensitive Information

Related: Remote Code Execution Vulnerability Patched in Apache OFBiz

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.