Adrian Johnson
TLDR:
Apache released a security update for OFBiz to patch vulnerabilities, including a bypass of patches for two exploited flaws. The bypass, tracked as CVE-2024-45195, allows unauthenticated remote attackers to execute code on the server. Rapid7 warns that Linux and Windows systems are affected. The update also addresses CVE-2024-45507, a server-side request forgery and code injection flaw.
Full Article:
Apache has released a security update for its open-source ERP system, OFBiz, to address critical vulnerabilities. The main highlight of this update is the patch for CVE-2024-45195, which is a bypass of recent patches for two exploited flaws. This bypass allows unauthenticated remote attackers to execute code on the server, affecting both Linux and Windows systems.
Rapid7, a cybersecurity firm, identified and reported the patch bypass, stating that the bypass is related to three recently patched remote code execution flaws in Apache OFBiz. These vulnerabilities include CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, with the last two known to have been exploited in attacks. The underlying cause of all three vulnerabilities is the ability to desynchronize the controller and view map state, leading to a security defect that allows code execution.
Apache OFBiz version 18.12.16 was released to address the vulnerability by implementing additional authorization checks. The update also resolves CVE-2024-45507, described as a server-side request forgery and code injection flaw. Users are urged to update to the latest version of Apache OFBiz to protect against potential attacks, as threat actors are actively targeting vulnerable installations.
