A critical vulnerability [6], CVE-202445195 [1] [2] [3] [4] [5] [6] [7] [8], was recently discovered in the Apache OFBiz ERP system [6], posing a significant risk to unpatched systems [7].
Description
The vulnerability allowed unauthenticated attackers to execute arbitrary code on both Linux and Windows systems. It was patched in version 181216, which added necessary authorization checks to prevent remote code execution. The latest patch also addressed a critical SSRF vulnerability [6], CVE-202445507 [1] [2] [3] [4] [5] [6] [7] [8], which could lead to unauthorized access and system compromise [6]. Attackers could exploit missing view authorization checks to execute arbitrary code without valid credentials [4]. This vulnerability is related to three previous disclosures in 2024 [4], including CVE-202432113 [3] [4] [5], CVE-202436104 [1] [3] [4] [5] [6] [8], and CVE-202438856 [1] [3] [4] [5] [6] [8], all stemming from the same underlying issue of desynchronizing the controller and view map state [4].
Conclusion
It is recommended to update to version 181216 to mitigate these security risks, as the US Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of similar vulnerabilities [7]. Rapid7 security researchers provided a proof-of-concept exploit for the latest flaw [3] [5], which could be exploited by an attacker with no valid credentials to execute arbitrary code on the server [5]. The Cybersecurity and Infrastructure Security Agency has included CVE-202432113 in its Known Exploited Vulnerabilities catalog following attacks leveraging this vulnerability [5].
References
[1] https://securityaffairs.com/168106/security/apache-ofbiz-rce-cve-2024-45195.html
[2] https://www.helpnetsecurity.com/2024/09/06/cve-2024-45195/
[3] https://www.scmagazine.com/brief/critical-apache-ofbiz-flaw-patched
[4] https://duo.com/decipher/apache-fixes-ofbiz-remote-code-execution-flaw
[5] https://www.channele2e.com/brief/apache-releases-updates-to-patch-ofbiz-flaw
[6] https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severity.html
[7] https://www.blackhatethicalhacking.com/news/critical-apache-ofbiz-flaw-allows-hackers-to-execute-code-remotely/
[8] https://www.techradar.com/pro/security/critical-remote-code-execution-flaw-in-apache-ofbiz-patched