Lucene search

K
thnThe Hacker NewsTHN:1F1D6595B5540271310644B077944EE2
HistoryDec 27, 2023 - 3:39 p.m.

Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack

2023-12-2715:39:00
The Hacker News
thehackernews.com
33

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.785 High

EPSS

Percentile

98.0%

Apache OfBiz ERP

A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.

The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.

“The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present,” the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News.

Apache OfBiz ERP

CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within Apache OFBiz.

According to SonicWall, CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources.

Cybersecurity

The attack hinges on the fact that the parameter “requirePasswordChange” is set to “Y” (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields.

“The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF),” according to a description of the flaw on the NIST National Vulnerability Database (NVD).

Users who rely on Apache OFbiz to update to version 18.12.11 or later as soon as possible to mitigate any potential threats.

Update

The Shadowserver Foundation said it has observed “quite a few” exploit attempts targeting CVE-2023-49070, making it imperative that users move quickly to secure their Apache OFBiz instances against the two vulnerabilities.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.785 High

EPSS

Percentile

98.0%