News

Sep 8, 2024 | IT apache patch open-source

Apache fixes critical OFBiz remote code execution vulnerability

Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers.

OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications.

 

Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks.

 

"An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," security researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code.

 

The Apache security team patched the vulnerability in version 18.12.16 by adding authorization checks. OFBiz users are advised to upgrade their installations as soon as possible to block potential attacks.

 

Bypass for previous security patches


As Emmons further explained today, CVE-2024-45195 is a patch bypass for three other OFBiz vulnerabilities that have been patched since the start of the year and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.

"Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause," Emmons added.

 

All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution without authentication.

 

In early August, CISA warned that the CVE-2024-32113 OFBiz vulnerability (patched in May) was being exploited in attacks, days after SonicWall researchers published technical details on the CVE-2024-38856 pre-authentication RCE bug.

 

CISA also added the two security bugs to its catalog of actively exploited vulnerabilities, requiring federal agencies to patch their servers within three weeks as mandated by the binding operational directive (BOD 22-01) issued in November 2021.

 

Even though BOD 22-01 only applies to Federal Civilian Executive Branch (FCEB) agencies, CISA urged all organizations to prioritize patching these flaws to thwart attacks that could target their networks.

 

In December, attackers started exploiting another OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) using public proof of concept (PoC) exploits to find vulnerable Confluence servers.

load more

Apache fixes critical OFBiz remote code execution vulnerability

Category: IT|Sep 8, 2024 | Author: Admin

SonicWall SSLVPN access control flaw is now exploited in attacks

Category: IT|Sep 7, 2024 | Author: Admin

Microsoft Office 2024 to disable ActiveX controls by default

Category: Microsoft|Sep 6, 2024 | Author: Admin

LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks

Category: IT|Sep 5, 2024 | Author: Admin

Cisco warns of backdoor admin account in Smart Licensing Utility

Category: IT|Sep 4, 2024 | Author: Admin

D-Link says it is not fixing four RCE flaws in DIR-846W routers

Category: IT|Sep 3, 2024 | Author: Admin

The Google Play Store can finally update multiple apps at the same time

Category: Google|Sep 2, 2024 | Author: Admin

Now the iPhone buttons don't work

Category: Apple|Sep 1, 2024 | Author: Admin

Some Android smartphones have been found to contain a hidden security vulnerability

Category: General|Aug 31, 2024 | Author: Admin

Over 200 million users a week

Category: Apple|Aug 30, 2024 | Author: Admin

Chrome will redact credit cards, passwords when you share Android screen

Category: General|Aug 29, 2024 | Author: Admin

Google increases Chrome bug bounty rewards up to $250,000

Category: Google|Aug 28, 2024 | Author: Admin

Microsoft: Exchange Online mistakenly tags emails as malware

Category: Microsoft|Aug 27, 2024 | Author: Admin

Microsoft's Windows Control Panel might not get the axe after all — 38-year-old feature could live on as wording about deprecation is removed

Category: Microsoft|Aug 26, 2024 | Author: Admin

Google DeepMind workers urge the company to end ties with military organizations

Category: Google|Aug 25, 2024 | Author: Admin
more