Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)
For the fourth time in the last five months, Apache OFBiz users have been advised to upgrade their installations to fix a critical flaw (CVE-2024-45195) that could lead to unauthenticated remote code execution.
About CVE-2024-45195
Apache OFBiz is an open-source suite for enterprise resource planning (ERP), which contains web applications for human resources management, customer relationship management, accounting, marketing, etc.
“Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have seen exploitation in the wild,” Rapid7 researcher Ryan Emmons noted.
CVE-2024-45195 was reported by Emmons and several other researchers, and it’s a direct request flaw, i.e., a vulnerability stemming from the web application inadequately enforcing authorization checks.
It affects Apache OFBiz versions before v18.12.16, and it can be exploited by unauthenticated attackers to execute arbitrary code on the underlying Windows or Linux server.
Researchers demonstrate exploitation
“Exploitation [of CVE-2024-45195] is facilitated by bypassing previous patches for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856,” Emmons explained.
CVE-2024-32113 and CVE-2024-36104 have been categorized as patch traversal flaws, and CVE-2024-38856 as an incorrect authorization issue (as explained by SonicWall’s Capture Labs researchers).
Based on Rapid7’s analysis, all these vulnerabilities are, essentially, one and the same, with the same root cause: the fragmented state of the application’s controller and view map.
Unfortunately, patches for the three flaws were incomplete, and Rapid7 researchers were able to desynchronize the controller-view map state so they could dump all usernames, passwords, and credit card numbers stored by Apache OFBiz into a web-accessible directory, but also achieve remote code execution.
CVE-2024-45195 has been fixed – along with CVE-2024-45507, a server-side request forgery (SSRF) code injection vulnerability – in Apache OFBiz version 18.12.16.