September 5, 2024 at 05:35PM
Apache has addressed a critical security vulnerability in its OFBiz software, allowing attackers to execute arbitrary code on Linux and Windows servers. The flaw, tracked as CVE-2024-45195, was discovered by Rapid7. This is a remote code execution issue caused by a forced browsing weakness. Users are urged to upgrade to version 18.12.16 to prevent potential attacks.
The meeting notes contain information about a critical security vulnerability in Apache’s open-source OFBiz software. This vulnerability, tracked as CVE-2024-45195, allows attackers to execute arbitrary code on vulnerable Linux and Windows servers. It exploits missing view authorization checks in the web application, enabling the execution of arbitrary code on the server.
The Apache security team has patched the vulnerability in version 18.12.16 by adding authorization checks. Users of OFBiz are advised to upgrade their installations as soon as possible to prevent potential attacks.
Additionally, the notes mention that CVE-2024-45195 is a patch bypass for three other previously patched vulnerabilities in OFBiz, tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. All of these vulnerabilities are caused by a controller-view map fragmentation issue, allowing attackers to execute code or SQL queries and achieve remote code execution without authentication.
Furthermore, the meeting notes highlight the urgency of patching these vulnerabilities, as they have been actively exploited, and federal agencies are required to patch their servers within a specific timeline as mandated by a binding operational directive (BOD 22-01) issued by the Cybersecurity and Infrastructure Security Agency (CISA).
In summary, the key takeaways from the meeting notes include the critical nature of the CVE-2024-45195 vulnerability, the importance of upgrading OFBiz installations to the patched version 18.12.16, the existence of a patch bypass for previous vulnerabilities, and the urgency of prioritizing patching to mitigate the risk of potential attacks.