December 27, 2023 at 11:18AM
A new zero-day security flaw (CVE-2023-51467) in Apache OfBiz ERP system allows bypassing authentication. It stems from an incomplete patch for the CVE-2023-49070 vulnerability. Exploiting the flaw facilitates unauthorized access and potential SSRF attacks. The SonicWall Capture Labs advises updating to Apache OfBiz version 18.12.11 or later to mitigate the risks.
Key Takeaways from the Meeting Notes:
1. A new zero-day security flaw, tracked as CVE-2023-51467, has been discovered in the Apache OfBiz ERP system, allowing for an authentication bypass.
2. The vulnerability is a result of an incomplete patch for an earlier critical vulnerability, CVE-2023-49070, which could allow threat actors to gain full control over the server and access sensitive data.
3. The flaw can be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request, effectively circumventing protection measures.
4. The vulnerability allows attackers to achieve a simple Server-Side Request Forgery (SSRF) and could be mitigated by updating to Apache OfBiz version 18.12.11 or later.
These takeaways summarize the key points regarding the zero-day vulnerability in the Apache OfBiz system and the necessary steps for mitigation and security enhancement.