A zero-day security flaw [1] [2] [3] [7], known as CVE-2023-51467 [1] [2] [3] [4] [6] [7], has been discovered in the Apache OfBiz [1] [2] [3] [4] [6] [7], an open-source ERP system [1] [2] [3] [6] [7]. This flaw allows for authentication bypass in the login functionality and is a result of an incomplete patch for another critical vulnerability [3], CVE-2023-49070 [1] [2] [3] [4] [5] [6] [7] [8].
Description
By using empty or invalid USERNAME and PASSWORD parameters in an HTTP request [2] [7], an attacker can bypass authentication and gain unauthorized access to internal resources [1] [2]. This flaw also enables a simple Server-Side Request Forgery (SSRF) attack. All versions of Apache OfBiz prior to 18.12.11 are vulnerable [8], and it is strongly recommended to update to this version or newer to address the security loophole. SonicWall has responsibly disclosed the vulnerability to Apache OfBiz and advises users to update to version 18.12.11 or later [6]. Additionally, SonicWall has developed an IPS signature to detect any active exploitation of this vulnerability [6].
Conclusion
This zero-day security flaw in Apache OfBiz poses a significant risk as it allows for authentication bypass and potential unauthorized access to internal resources. To mitigate this vulnerability [4] [6], it is crucial for users to update to version 18.12.11 or later. SonicWall’s responsible disclosure and development of an IPS signature demonstrate their commitment to addressing this issue. It is important for users to take immediate action to protect their systems and prevent any potential exploitation of this vulnerability.
References
[1] https://vulners.com/thn/THN:1F1D6595B5540271310644B077944EE2
[2] https://ciso2ciso.com/critical-zero-day-in-apache-ofbiz-erp-system-exposes-businesses-to-attack-sourcethehackernews-com/
[3] https://cyber.vumetric.com/security-news/2023/12/27/critical-zero-day-in-apache-ofbiz-erp-system-exposes-businesses-to-attack/
[4] https://meterpreter.org/cve-2023-51467-cve-2023-50968-critical-security-vulnerabilities-in-apache-ofbiz/
[5] https://nsfocusglobal.com/apache-ofbiz-arbitrary-file-reading-and-remote-code-execution-vulnerabilities-cve-2023-50968-cve-2023-51467-alert/
[6] https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/
[7] https://thehackernews.com/2023/12/critical-zero-day-in-apache-ofbiz-erp.html
[8] https://securityonline.info/cve-2023-51467-apache-ofbiz-pre-authentication-rce-vulnerability/