In a recent release, the Apache OFBiz project developers have been working on a patch to fix a new critical flaw of software that can be exploited by unauthenticated attackers to execute arbitrary code on the server. Considering that attackers are likely to exploit this vulnerability in real-world attacks, users are advised to deploy the patch as soon as possible to avoid falling victim to this vulnerability.

There was a high-severity vulnerability identified as CVE-2024-45195 (CVSS score: 7.5) affecting Apache OFBiz, a popular open-source business enterprise resource planning (ERP) system that is adapted from Apache OFBiz. In the field of enterprise process automation, Apache OFBiz® from the Apache Software Foundation consists of framework components and applications as well as a business process automation framework. 

This vulnerability is caused by Apache's OFBiz implementation of Direct Request ('Forced Browsing'). It has been found that all versions of the software before 18.12.16 are affected by this bug. The project maintainers have been working on CVE-2024-45195 for several months now to prevent the occurrence of a severe sequence of vulnerabilities, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were already addressed by the project maintainers previously. 

CVE-2024-32113 and CVE-2024-38856, both of which appear to be exploited actively in the wild and the former of which is used to distribute the Mirai botnet malware, are exploited extensively. This was due to Rapid7's inability to desynchronize the controller state from the view map state, something that was never completely resolved in any of the patches that were released, but which led to all three of the earlier shortcomings. 

Because of the vulnerability, attackers may be able to exploit it to execute code, and SQL queries, and remotely execute the code without the need for authentication by exploiting it. This latest patch was put in place to validate that a view should allow anonymous access if a user is not authenticated (rather than performing authorization checks solely based on the target controller)." CVE-2024-38856 and CVE-2024-32113 are, in fact, critical vulnerabilities, and they've been actively targeted by attackers in the past few months. 

The Cybersecurity and Infrastructure Security Agency has listed them in its catalogue of Known Exploited Vulnerabilities in August. There has been speculation that companies can have a hard time resolving the underlying causes of vulnerabilities because of their size. Sometimes it is difficult to judge whether a patch will be effective until several researchers have tried bypassing it to test its effectiveness. It was Rapid7 that identified and reported the vulnerability, and they suggest that the three security defects are essentially the same bug because they are both caused by the same source code. 

In a report published in early May, CVE-2024-32113 was described as an issue in which a malicious user would be able to navigate through an unauthenticated controller and interact with an authenticated view map, granting them access to an admin-only view map or allowing them to execute SQL commands on it. It has been observed that there have been attempts to exploit people in July.  

A second vulnerability, CVE-2024-36104, which was disclosed in early June, was also explained as a path traversal vulnerability. There were multiple issues with the URI, including semicolons and URL-encoded periods that need to be removed. In early August, Apache drew attention to a vulnerability referred to as CVE-2024-38856. 

This has been described as a security flaw that could allow code execution due to an incorrect authorization. CISA, the United States Cyber Defense agency, announced that the bug had been added to its list of Known Exploited Vulnerabilities (KEVs) towards the end of August. Rapid7 said that all three issues are the result of controller-view map state fragmentation, which can occur when an application begins receiving URI patterns that are not expected. 

Assuming the root cause of the three vulnerabilities is the same, CVE-2024-38856 works on systems that are affected by CVE-2024-32113 and CVE-2024-36104, "since the payload for all three vulnerabilities is the same". There was a CVE-2024-32113 OFBiz vulnerability (patched in May) that was being exploited in attacks by hacker groups, just days after SonicWall researchers published detailed technical details on CVE-2024-38856, a bug involving pre-authentication RCE. 

CISA issued a warning regarding this CVE in early August. In addition to adding the two security bugs to its catalogue of actively exploited vulnerabilities, CISA also announced that federal agencies must patch their servers as soon as possible after the three-week deadline mandated by the binding operational directive (BOD 22-01) issued in November 2021. 

Even though BOD 22-01 only applies to agencies of the Federal Civilian Executive Branch (FCEB), the Center for Information Security and Assurance (CISA) is urging organizations to patch these security flaws immediately to prevent the onset of attacks against their networks. A public proof of concept exploit for OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) was used in December to identify Confluence servers that were vulnerable to the exploit. 

The exploit was based on public proof of concept exploits. Having discovered that Emmons now had a new view map to abuse called XmlDsDump, he could query the underlying database for any data that may be available and then write the results to any file, anywhere on the disk, without any restrictions. 

Among the data displayed in this presentation could be hashed passwords of users defined in the system, which could then be cracked to reveal their passwords. As a result of this study, the researcher has taken it one step further by combining it with a script he discovered that was present in the system, named ViewDataFile.groovy, which could write files to disk from requests and used it to build a web shell that enabled remote code execution on the server using the script. 

In response to this flaw, OFBiz developers came up with a more comprehensive fix that does not rely only on non-centralized authorization checks on view maps anymore but also takes into account non-centralized authorization checks for target controllers for the view maps as well.