Critical remote code execution flaw in Apache OFBiz patched

The bug is an arbitrary code execution flaw

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Apache released a patch for a critical severity vulnerability in its OFBiz software. The bug is an arbitrary code execution flaw, allowing threat actors to run any code on either Windows, orLinuxservers.

Apache OFBiz (short for Open For Business) is an open-source enterprise resource planning (ERP) system that provides a suite of applications designed to automate and manage a wide range of business processes. It offers a comprehensive platform for businesses to handle operations such as customer relationship management (CRM), supply chain management, inventory management,accounting, e-commerce, and more.

According to cybersecurity researchers Rapid7, the bug stems from a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks. “An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” the researchers explained.

Mitigations and fixes

The vulnerability is now tracked asCVE-2024-45195, and carries a severity score of 7.5 (high). All versions prior to 18.12.16 were vulnerable, and in the latest version, Apache addressed the issue by adding authorization checks. Users are advised to apply the patch without hesitation.

The researchers further explained that this is not the first vulnerability, or the first patch, to address the very same kind of flaw. Last year, Apache released three patches for three flaws that all had the same root cause: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.

That being said, CVE-2024-45195 is a patch bypass for the three older ones.

“All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution without authentication,” the researcher concluded.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that one of the three flaws - CVE-2024-32113, was being exploited in attacks, and added it to the Known Exploited Vulnerabilities (KEV) catalog.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set