Unauthenticated Remote Code Execution in Apache OFBiz (CVE-2024-45195)

ISGroup Cybersecurity

Apache OFBiz in versions prior to 18.12.16 is vulnerable to an unauthenticated remote code execution (RCE) flaw that allows attackers to execute arbitrary code on both Linux and Windows servers. This vulnerability stems from a lack of authorization checks in the web application, allowing attackers to exploit certain views without authentication.

The vulnerability is particularly concerning because it bypasses previous security patches related to CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, thus constituting a case of patch bypass. Furthermore, CVE-2024-32113 was already present in CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating prior active exploitation activity. Exploitation of CVE-2024-45195 has also been actively observed, increasing the urgency of implementing mitigation measures.

ProductOFBiz
Date2025-02-07 09:28:20
Information
  • Fix Available
  • Active Exploitation

Technical Summary

Apache OFBiz, an open-source ERP and CRM system, is affected by a critical security flaw that allows remote attackers to take control of the server without authentication. The issue stems from inadequate authorization checks in the web interface, specifically in the /webtools/control/forgotPassword/xmldsdump endpoint. By exploiting this flaw, an attacker can write arbitrary files to the server, ultimately leading to remote code execution.

The vulnerability allows attackers to execute commands with the same privileges as the Apache OFBiz application, potentially compromising sensitive data, deploying malware, or performing lateral movement to other systems on the network. This flaw is particularly dangerous because it does not require authentication and can be exploited remotely.

Recommendations

Users should upgrade to version 18.12.16 of Apache OFBiz, which contains the fixes for this vulnerability and also resolves previous issues related to patch bypasses. Security teams should also monitor for any signs of exploitation and implement additional rules in a web application firewall (WAF) to block exploit attempts.

References:

[Callforaction-THREAT-Footer]