It has been discovered that Apache OFBiz ERP is vulnerable to Authentication Bypass and Remote Code Execution. The vulnerability has the MITRE ID CVE-2023-51467 and has a Critical CVSS score of 9.8 out of 10. The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code.
Description:
Apache OfBiz enterprise resource planning (ERP) framework is a Java based web framework including an entity engine, a service engine and a widget based UI allowing you to quickly prototype and develop your web application.
The vulnerability with CVE-2023-51467 allows an attacker to bypass authentication, achieve a simple Server-Side Request Forgery (SSRF) and access sensitive information using the ERP framework.
The Apache Software Foundation had released a patch for a related issue, CVE-2023-49070 (Pre-auth RCE in Apache Ofbiz 18.12.09), However, the patch didn’t protect against variations and evolutions of the attack.
The attackers had probably used a technique of analyzing the existing patch for potential flaws. While the patch mitigated the problems caused by the vulnerability with CVE-2023-49070 in the specific endpoints (XML-RPC endpoint) it was discovered in, by removing them, the attackers discovered other endpoints that were vulnerable to the same bypass.
Affected versions:
The vulnerability affects all the versions of Apache OfBiz up to and excluding 18.12.11:
Defensive Measures:
It is important that the users follow some measures to prevent possible exploitation of the vulnerability from potential threat actors.
According to Apache, it is recommended that the users upgrade to Apache OFBiz 18.12.11 to patch the vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51467#range-10186807