Apache Makes Another Attempt at Patching Exploited RCE in OFBiz

Apache Makes Another Attempt at Patching Exploited RCE in OFBiz

September 6, 2024 at 08:00AM

Apache announced a security update for open source ERP system OFBiz to address two vulnerabilities including a bypass of patches for two exploited flaws. The bypass, CVE-2024-45195, allows unauthenticated, remote attackers to execute code on affected systems. Rapid7 warns both Linux and Windows systems are affected. Users are urged to update to Apache OFBiz 18.12.16.

Based on the meeting notes, the key takeaways are:

– Apache announced a security update for the open-source enterprise resource planning (ERP) system OFBiz, addressing multiple vulnerabilities, including a bypass of patches for two exploited flaws.
– The security update resolves a missing view authorization check in the web application, allowing unauthenticated, remote attackers to execute code on the server.
– The vulnerabilities are related to three recently addressed remote code execution (RCE) flaws in Apache OFBiz (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856), with two known to have been exploited in the wild.
– The update also addresses a server-side request forgery (SSRF) and code injection flaw (CVE-2024-45507).
– Apache OFBiz version 18.12.16 was released to implement additional authorization checks, validating view permissions for unauthenticated users.
– Users are advised to update to Apache OFBiz 18.12.16 as soon as possible to mitigate the risk of exploitation by threat actors.

These takeaways provide a clear summary of the security update and its significance for users of Apache OFBiz.

Full Article