WARNING: CRITICAL REMOTE CODE EXECUTION IN APACHE OFBIZ, PATCH IMMEDIATELY!
CVE-2024-45195: CVSS 7.5(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-2024-45507: CVSS 9.8(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Apache - https://ofbiz.apache.org/security.html
Risks
Two vulnerabilities were discovered in Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system. Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution (RCE) on both Linux and Windows host systems. A malicious attacker could abuse these vulnerabilities to take control of the system. This could lead to a ransomware attack or data theft.
Description
CVE-2024-45195 is a bypass for previously patched vulnerabilities (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856) in Apache OFBiz. CVE-2024-32113 and CVE-2024-38856 are listed on the CISA Known Exploited Vulnerabilities (KEV) list.
The vulnerability allows an unauthenticated attacker to exploit missing view authentication checks in the web application to execute arbitrary code on the server.
CVE-2024-45507 is a Server-Side Request Forgery (SSRF) vulnerability that can lead to Code Injection. The vulnerability allows an unauthenticated attacker to craft a malicious url to execute arbitrary code on the server.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Tenable - https://www.tenable.com/cve/CVE-2024-45507 & https://www.tenable.com/cve/CVE-2024-45195
Rapid7 - https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-...
Seclists - https://seclists.org/oss-sec/2024/q3/242
The Hacker News - https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severit...
CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_...