www.belgium.be Logo of the federal government

WARNING: CRITICAL REMOTE CODE EXECUTION IN APACHE OFBIZ, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-215
Version: 
1.0
Affected software: 
Apache OFBiz < 18.12.16
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-45195: CVSS 7.5(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE-2024-45507: CVSS 9.8(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Apache - https://ofbiz.apache.org/security.html

Risks

Two vulnerabilities were discovered in Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system. Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution (RCE) on both Linux and Windows host systems. A malicious attacker could abuse these vulnerabilities to take control of the system. This could lead to a ransomware attack or data theft.

Description

CVE-2024-45195 is a bypass for previously patched vulnerabilities (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856) in Apache OFBiz. CVE-2024-32113 and CVE-2024-38856 are listed on the CISA Known Exploited Vulnerabilities (KEV) list.

The vulnerability allows an unauthenticated attacker to exploit missing view authentication checks in the web application to execute arbitrary code on the server.

CVE-2024-45507 is a Server-Side Request Forgery (SSRF) vulnerability that can lead to Code Injection. The vulnerability allows an unauthenticated attacker to craft a malicious url to execute arbitrary code on the server.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Tenable - https://www.tenable.com/cve/CVE-2024-45507 & https://www.tenable.com/cve/CVE-2024-45195

Rapid7 - https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-...

Seclists - https://seclists.org/oss-sec/2024/q3/242

The Hacker News - https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severit...

CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_...