Apache OFBiz users have been urged to update their installations once again to address a critical vulnerability (CVE-2024-45195) that could potentially lead to unauthenticated remote code execution. This marks the fourth time in the last five months that users of the open-source enterprise resource planning (ERP) suite have been advised to take action to secure their systems.
CVE-2024-45195 was brought to light by researchers, including Rapid7’s Ryan Emmons, and is classified as a direct request flaw. This type of vulnerability arises when a web application fails to properly enforce authorization checks. In the case of Apache OFBiz, the flaw impacts versions prior to v18.12.16 and could be exploited by malicious actors without authentication to run arbitrary code on the targeted Windows or Linux server.
Emmons highlighted the importance of addressing this vulnerability promptly, noting that successful exploitation of CVE-2024-45195 could be facilitated by bypassing previous patches for other known vulnerabilities in Apache OFBiz, such as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. These vulnerabilities, which include patch traversal flaws and an incorrect authorization issue, all stem from the fragmented state of the application’s controller and view map.
Despite attempts to patch the aforementioned vulnerabilities, Rapid7 researchers were able to demonstrate how they could desynchronize the controller-view map state, allowing them to extract sensitive data stored by Apache OFBiz, including usernames, passwords, and credit card numbers, and achieve remote code execution. To address these security risks, fixes for CVE-2024-45195 and CVE-2024-45507, a server-side request forgery (SSRF) code injection vulnerability, have been included in Apache OFBiz version 18.12.16.
The urgency of addressing these vulnerabilities is underscored by the potential impact on organizations using Apache OFBiz for various business functions, such as human resources management, customer relationship management, accounting, and marketing. With the suite being employed by numerous large enterprises, the risk of exploitation in the wild remains a concern, as previously observed with other disclosed vulnerabilities.
In light of these developments, system administrators and users of Apache OFBiz are strongly advised to upgrade their installations to the latest version to ensure that their systems are protected against potential security threats. By staying proactive and maintaining up-to-date software, organizations can mitigate the risk of falling victim to cyber attacks that exploit known vulnerabilities in their ERP systems.