Apache has fastened a important safety vulnerability in its open-source OFBiz (Open For Enterprise) software program, which may permit attackers to execute arbitrary code on susceptible Linux and Home windows servers.
OFBiz is a collection of buyer relationship administration (CRM) and enterprise useful resource planning (ERP) enterprise purposes that can be used as a Java-based internet framework for growing internet purposes.
Tracked as CVE-2024-45195 and found by Rapid7 safety researchers, this distant code execution flaw is attributable to a pressured shopping weak point that exposes restricted paths to unauthenticated direct request assaults.
“An attacker with no legitimate credentials can exploit lacking view authorization checks within the internet software to execute arbitrary code on the server,” safety researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code.
The Apache safety group patched the vulnerability in model 18.12.16 by including authorization checks. OFBiz customers are suggested to improve their installations as quickly as potential to dam potential assaults.
Bypass for earlier safety patches
As Emmons additional defined right this moment, CVE-2024-45195 is a patch bypass for 3 different OFBiz vulnerabilities which have been patched because the begin of the yr and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.
“Primarily based on our evaluation, three of those vulnerabilities are, basically, the identical vulnerability with the identical root trigger,” Emmons added.
All of them are attributable to a controller-view map fragmentation concern that allows attackers to execute code or SQL queries and obtain distant code execution with out authentication.
In early August, CISA warned that the CVE-2024-32113 OFBiz vulnerability (patched in Could) was being exploited in assaults, days after SonicWall researchers published technical details on the CVE-2024-38856 pre-authentication RCE bug.
CISA additionally added the 2 security bugs to its catalog of actively exploited vulnerabilities, requiring federal companies to patch their servers inside three weeks as mandated by the binding operational directive (BOD 22-01) issued in November 2021.
Although BOD 22-01 solely applies to Federal Civilian Govt Department (FCEB) companies, CISA urged all organizations to prioritize patching these flaws to thwart assaults that would goal their networks.
In December, attackers started exploiting one other OFBiz pre-authentication distant code execution vulnerability (CVE-2023-49070) utilizing public proof of idea (PoC) exploits to seek out susceptible Confluence servers.