Apache has patched a critical security vulnerability in its open-source OFBiz software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. The vulnerability, tracked as CVE-2024-45195, was discovered by Rapid7 security researchers.
The flaw allows unauthenticated attackers to exploit missing view authorization checks in the web application, enabling them to execute arbitrary code on the server. Apache’s security team fixed the issue in version 18.12.16 by adding authorization checks. Users are advised to upgrade their installations as soon as possible to block potential attacks.
This vulnerability is a patch bypass for three other OFBiz vulnerabilities that were previously patched: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. All of these flaws share the same root cause – a controller-view map fragmentation issue that enables attackers to execute code or SQL queries without authentication.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has warned about these vulnerabilities being exploited in attacks. CISA added the two security bugs to its catalog of actively exploited vulnerabilities, requiring federal agencies to patch their servers within three weeks as mandated by the binding operational directive issued in November 2021.
Source: https://www.bleepingcomputer.com/news/security/apache-fixes-critical-ofbiz-remote-code-execution-vulnerability/