Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Critical remote code execution flaw in Apache OFBiz patched

A padlock resting on a keyboard.

Apache released a patch for a critical severity vulnerability in its OFBiz software. The bug is an arbitrary code execution flaw, allowing threat actors to run any code on either Windows, or Linux servers.

Apache OFBiz (short for Open For Business) is an open-source enterprise resource planning (ERP) system that provides a suite of applications designed to automate and manage a wide range of business processes. It offers a comprehensive platform for businesses to handle operations such as customer relationship management (CRM), supply chain management, inventory management, accounting, e-commerce, and more.

According to cybersecurity researchers Rapid7, the bug stems from a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks. "An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," the researchers explained.

Mitigations and fixes

The vulnerability is now tracked as CVE-2024-45195, and carries a severity score of 7.5 (high). All versions prior to 18.12.16 were vulnerable, and in the latest version, Apache addressed the issue by adding authorization checks. Users are advised to apply the patch without hesitation.

The researchers further explained that this is not the first vulnerability, or the first patch, to address the very same kind of flaw. Last year, Apache released three patches for three flaws that all had the same root cause: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.

That being said, CVE-2024-45195 is a patch bypass for the three older ones.

“All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution without authentication,” the researcher concluded.

Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that one of the three flaws - CVE-2024-32113, was being exploited in attacks, and added it to the Known Exploited Vulnerabilities (KEV) catalog.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.