Apache patched a bypass vulnerability in its widely used Apache OFBiz open-source enterprise resource and planning software that could have led to an unauthenticated remote code execution on the Linux and Windows platforms.
In a Sept. 5 blog post, researchers at Rapid7 explained that even an attacker lacking valid credentials could exploit missing view authorization checks in the web application to execute arbitrary code on an OFBiz server.
The researchers explained that this most recent patch for the bypass vulnerability — CVE-2024-45195 — was an update of three vulnerabilities that Apache previously fixed: one in May (CVE-2024-32113), another in June (CVE-2024-36104), and a third in August (CVE-2024-38856). Both 32113 and 38856 were exploited in the wild and were placed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
“To recap, all three of the previous vulnerabilities were caused by the same shared underlying issue, the ability to desynchronize the controller and view map state,” wrote the Rapid7 researchers. “That flaw was not fully addressed by any of the patches.”
The map state issue was reported to the Apache OFBiz team by Ryan Emmons, lead security researcher at Rapid7, as well as by several other researchers. Apache promptly patched the bypass vulnerability once Rapid7 informed them of the flaw.
Attackers can use poorly managed map state data such as coordinates, layers, or metadata to launch injection attacks. The Rapid7 researchers said threat actors could potentially manipulate the map data to access admin-only view maps that can execute malicious SQL queries or code.
Callie Guenther, senior manager of cyber threat research at Critical Start, added that the Apache OFBiz vulnerability can let attackers take full control of servers running OFBiz, both on Linux and Windows, without requiring credentials. Guenther, an SC Media columnist, said given that OFBiz often gets used to manage critical business operations, including financial and customer data, the potential for data breaches or system hijacking is high.
“Past exploitation patterns suggest this flaw could be integrated into botnets, such as Mirai,” said Guenther. “Security teams should prioritize patching to mitigate this emerging threat.”
Itzik Alvas, co-founder and CEO of Entro Security, pointed out that the Apache OFBiz vulnerability serves as a stark reminder of the risks associated with both human and non-human identities in enterprise environments.
“Attackers exploiting missing authorization checks can manipulate system processes and automated agents, leading to unauthorized actions,” said Alvas. “This incident underscores the importance of regular updates, robust identity governance, and comprehensive security measures to protect all facets of an organization's digital infrastructure."