Apache released a patch for a critical severity vulnerability in its OFBiz software. The bug is an arbitrary code execution flaw, allowing threat actors to run any code on either Windows, or Linux servers.
Apache OFBiz (short for Open For Business) is an open-source enterprise resource planning (ERP) system that provides a suite of applications designed to automate and manage a wide range of business processes. It offers a comprehensive platform for businesses to handle operations such as customer relationship management (CRM), supply chain management, inventory management, accounting, e-commerce, and more.
According to cybersecurity researchers Rapid7, the bug stems from a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks. “An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” the researchers explained.
Mitigations and fixes
The vulnerability is now tracked as CVE-2024-45195, and carries a severity score of 7.5 (high). All versions prior to 18.12.16 were vulnerable, and in the latest version, Apache addressed the issue by adding authorization checks. Users are advised to apply the patch without hesitation.
The researchers further explained that this is not the first vulnerability, or the first patch, to address the very same kind of flaw. Last year, Apache released three patches for three flaws that all had the same root cause: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.
That being said, CVE-2024-45195 is a patch bypass for the three older ones.
“All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution without authentication,” the researcher concluded.
Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that one of the three flaws – CVE-2024-32113, was being exploited in attacks, and added it to the Known Exploited Vulnerabilities (KEV) catalog.
Via BleepingComputer
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/yDpezKpJsKYY4a3r9EzAw5-1200-80.jpg
Source link
