Warning: Pre-Authenticated Remote Code Execution Vulnerability in Apache OFBiz, Patch Immediately!
CVE-2023-49070 :CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-51467:CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://issues.apache.org/jira/browse/OFBIZ-12812
https://ofbiz.apache.org/security.html
Risques
There is a critical vulnerability affecting Apache OFBiz, an open-source enterprise resource planning system. When exploited, an unauthenticated attacker could inject malicious code in vulnerable servers and gain full control over the devices.
Successful exploitation causes a high impact on confidentiality, integrity, and availability.
There is no report of active exploitation but a proof of concept has been published.
Update 28 december 2023
The security measures applied to rectify CVE-2023-49070 inadvertently left the root issue unaddressed, resulting in the persistence of the authentication bypass.
This resulted in a new vulnerability, labeled as CVE-2023-51467.
Description
CVE-2023-49070 is a pre-authentication vulnerability that originates in the presence of an obsolete XML-RPC component within Apache OFBiz. XML-RPC is a protocol used to encode and transmit remote procedure call information between computers over a network and is now deprecated.
A remote, unauthenticated attacker could leverage this vulnerability to inject malicious code in vulnerable Apache OFBiz servers in order to gain full control over the severs.
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends upgrading to the latest version as soon as possible.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.