Apache has issued a fix in OFBiz (Open For Business) that addresses an unauthenticated remote code execution bug.
The high-severity direct request flaw (CVE-2024-45195) impacts Apache OFBiz versions below 18.12.16 for Linux and Windows. The vulnerability could allow attackers with no valid credentials to exploit missing view authorization checks in the web application and ultimately execute arbitrary code. Users can upgrade to version 18.12.16, which fixes the issue.
The vulnerability disclosed this week is a patch bypass that elaborates on three previous disclosures, according to Ryan Emmons, lead security researcher with Rapid7. The three Apache OFBiz vulnerabilities were published over the course of 2024, including CVE-2024-32113, which was disclosed in May, CVE-2024-36104, which was disclosed in June and CVE-2024-38856, which was published in August. Emmons said that all three of the previous flaws stemmed from the same underlying issue: The ability to desynchronize the controller and view map state.
“Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause,” said Emmons in a Thursday post. “Exploitation is facilitated by bypassing previous patches for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856; this patch bypass vulnerability is tracked as CVE-2024-45195.”
Some of these vulnerabilities, including CVE-2024-38856 and CVE-2024-32113, have been actively targeted by threat actors and in August, and the Cybersecurity and Infrastructure Security Agency added them to its Known Exploited Vulnerabilities catalog.
Emmons said that remediating the underlying causes behind vulnerabilities can be hard for companies. It is sometimes difficult to determine whether a patch is going to be effective until multiple researchers attempt to bypass it.
“There’s no one-size-fits-all solution; some vulnerabilities can be fixed with small bespoke patches, others require more holistic fixes and patching of reusable techniques,” said Emmons. “When a researcher discloses a vulnerability to an organization, the most apparent aspect is often the documented steps and techniques they used to achieve exploitation. Patching these specific techniques is an important means of remediating vulnerabilities. However, many roads can often lead to the same destination. Since exploitation involves a lot of creativity, different researchers can find very different ways of achieving a similar result.”
The most important thing that companies can do when developing patches to address these issues is to openly communicate with researchers, said Emmons.
“It can be difficult for software producers to be certain that a patch will be 100 percent effective,” said Emmons. “Prompt and open communication with users and researchers creates the best circumstances for successful outcomes.”
Apache OFBiz is an open-source enterprise resource planning and customer relationship management suite. Because the tool is utilized by multiple organizations and houses enterprise data, it is a lucrative target for attackers, and previous vulnerabilities in Apache OFBiz have been exploited.