Apache has fastened a important safety vulnerability in its open-source OFBiz (Open For Enterprise) software program, which might enable attackers to execute arbitrary code on susceptible Linux and Home windows servers.
OFBiz is a set of buyer relationship administration (CRM) and enterprise useful resource planning (ERP) enterprise purposes that can be used as a Java-based net framework for creating net purposes.
Tracked as CVE-2024-45195 and found by Rapid7 safety researchers, this distant code execution flaw is attributable to a compelled looking weak point that exposes restricted paths to unauthenticated direct request assaults.
“An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” safety researcher Ryan Emmons defined on Thursday in a report containing proof-of-concept exploit code.
The Apache safety staff patched the vulnerability in model 18.12.16 by including authorization checks. OFBiz customers are suggested to improve their installations as quickly as potential to dam potential assaults.
Bypass for earlier safety patches
As Emmons additional defined at this time, CVE-2024-45195 is a patch bypass for 3 different OFBiz vulnerabilities which were patched for the reason that begin of the yr and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.
“Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause,” Emmons added.
All of them are attributable to a controller-view map fragmentation problem that allows attackers to execute code or SQL queries and obtain distant code execution with out authentication.
In early August, CISA warned that the CVE-2024-32113 OFBiz vulnerability (patched in Might) was being exploited in assaults, days after SonicWall researchers printed technical particulars on the CVE-2024-38856 pre-authentication RCE bug.
CISA additionally added the 2 safety bugs to its catalog of actively exploited vulnerabilities, requiring federal businesses to patch their servers inside three weeks as mandated by the binding operational directive (BOD 22-01) issued in November 2021.
Although BOD 22-01 solely applies to Federal Civilian Government Department (FCEB) businesses, CISA urged all organizations to prioritize patching these flaws to thwart assaults that might goal their networks.
In December, attackers began exploiting one other OFBiz pre-authentication distant code execution vulnerability (CVE-2023-49070) utilizing public proof of idea (PoC) exploits to search out susceptible Confluence servers.