Apache behebt kritische OFBiz-Schwachstelle für entfernte Codeausführung

Teilen:

Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers.

OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications.

Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks.

“An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” security researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code.

The Apache security team patched the vulnerability in version 18.12.16 by adding authorization checks. OFBiz users are advised to upgrade their installations as soon as possible to block potential attacks.

Bypass for previous security patches

As Emmons further explained today, CVE-2024-45195 is a patch bypass for three other OFBiz vulnerabilities that have been patched since the start of the year and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.

“Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause,” Emmons added.

All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution without authentication.

In early August, CISA warned that the CVE-2024-32113 OFBiz vulnerability (patched in May) was being exploited in attacks, days after SonicWall researchers published technical details on the CVE-2024-38856 pre-authentication RCE bug.

CISA also added the two security bugs to its catalog of actively exploited vulnerabilities, requiring federal agencies to patch their servers within three weeks as mandated by the binding operational directive (BOD 22-01) issued in November 2021.

Even though BOD 22-01 only applies to Federal Civilian Executive Branch (FCEB) agencies, CISA urged all organizations to prioritize patching these flaws to thwart attacks that could target their networks.

In December, attackers started exploiting another OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) using public proof of concept (PoC) exploits to find vulnerable Confluence servers.

Sergiu Gatlan

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
2:54 am, Jan. 24, 2025
Wetter-Symbol 9°C
L: 9° | H: 10°
overcast clouds
Luftfeuchtigkeit: 91 %
Druck: 996 mb
Wind: 14 mph WSW
Windböe: 24 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 100%
Regen Chance: 0%
Sichtbarkeit: 6 km
Sonnenaufgang: 7:49 am
Sonnenuntergang: 4:35 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
9° | 10°°C 1 mm 100% 24 mph 91 % 1002 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
3° | 5°°C 1 mm 100% 11 mph 90 % 1010 mb 0 mm/h
So. Jan. 26 9:00 pm
Wetter-Symbol
2° | 7°°C 1 mm 100% 15 mph 97 % 1009 mb 0 mm/h
Mo. Jan. 27 9:00 pm
Wetter-Symbol
6° | 8°°C 1 mm 100% 12 mph 98 % 991 mb 0 mm/h
Di. Jan. 28 9:00 pm
Wetter-Symbol
5° | 7°°C 1 mm 100% 15 mph 92 % 999 mb 0 mm/h
Today 3:00 am
Wetter-Symbol
9° | 10°°C 0.83 mm 83% 22 mph 91 % 996 mb 0 mm/h
Today 6:00 am
Wetter-Symbol
9° | 10°°C 1 mm 100% 24 mph 89 % 995 mb 0 mm/h
Today 9:00 am
Wetter-Symbol
10° | 11°°C 1 mm 100% 15 mph 85 % 994 mb 0 mm/h
Today 12:00 pm
Wetter-Symbol
9° | 9°°C 0.8 mm 80% 17 mph 60 % 997 mb 0 mm/h
Today 3:00 pm
Wetter-Symbol
8° | 8°°C 0 mm 0% 13 mph 50 % 999 mb 0 mm/h
Today 6:00 pm
Wetter-Symbol
7° | 7°°C 0 mm 0% 9 mph 56 % 1002 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
6° | 6°°C 0 mm 0% 5 mph 63 % 1002 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
5° | 5°°C 0 mm 0% 4 mph 68 % 1000 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€99,159.01
0.87%
Ethereum(ETH)
€3,172.44
2.68%
XRP(XRP)
€2.95
-2.23%
Fesseln(USDT)
€0.96
0.06%
Solana(SOL)
€239.70
0.62%
USDC(USDC)
€0.96
0.00%
Dogecoin(DOGE)
€0.331925
-2.26%
Shiba Inu(SHIB)
€0.000019
-1.63%
Pepe(PEPE)
€0.000014
-0.42%
Peanut das Eichhörnchen(PNUT)
€0.333452
-4.27%
Nach oben scrollen