Critical Apache OFBiz Zero-day Flaw Exploited in the Wild

Researchers uncovered a critical authentication bypass zero-day flaw tracked as CVE-2023-51467, with a CVSS score of 9.8 affecting Apache OFBiz’s open-source enterprise resource planning (ERP) system.

The vulnerability allows attackers to bypass simple Server-Side Request Forgery (SSRF) authentication.

The pre-authenticated RCE vulnerability tracked as CVE-2023-49070 leads to the zero-day SSRF vulnerability CVE-2023-51467 in Apache OFBiz due to an incomplete patch.

 “The security measures taken to patch CVE-2023-49070 left the root issue intact, and therefore, the authentication bypass was still present”, the SonicWall threat research team shared with Cyber Security News.

The vulnerability CVE-2023-49070 stems from an outdated, no-longer-maintained XML-RPC component within Apache OFBiz.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Details of the Zero-Day Flaw That Affects Apache OfBiz

An open-source enterprise resource planning (ERP) system is called Apache OfBiz. Although it might not sound familiar, it is widely installed in well-known applications, including Atlassian’s JIRA, which more than 120K enterprises use. 

Because of this, just like with many supply chain libraries, if threat actors take advantage of this vulnerability, the consequences might be severe. 

 “This flaw could lead to the exposure of sensitive information or even the ability to execute arbitrary code,” researchers said.

The login functionality contains the vulnerability tracked as CVE-2023-51467. Regardless of the username, password, or other arguments in an HTTP request, researchers found that the magic string requirePasswordChange=Y is the primary source of the authentication bypass.

Because of this, the vulnerability was not entirely fixed by removing the XML RPC code. 

Affected Version

This vulnerability impacts Apache OFBiz before 18.12.11.

Patch Now

Anyone running Apache OFbiz is urged to update to version 18.12.11 or higher immediately.  To identify any active exploitation of this vulnerability, SonicWall has created an IPS signature, IPS: 15949, in addition to the fix.

Try Kelltron’s cost-effective for free to assess and evaluate the security posture of digital systems.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.