Apache OFBiz patches new critical remote code execution flaw

Developers of Apache OFBiz, an open-source enterprise resource planning (ERP) framework, have released a patch for a new critical flaw that can allow unauthenticated attackers to execute arbitrary code on servers. The likelihood of attackers exploiting this vulnerability in real-world attacks is high so users should deploy the patch as soon as possible.

The new vulnerability is tracked as CVE-2024-45195 and was found by Ryan Emmons, lead security researcher at Rapid7. The flaw was fixed in Apache OFBiz version 18.12.16 released last week, which also includes a fix for a server-side request forgery (SSRF) issue tracked as CVE-2024-45507.

“An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” Emmons said in a blog post. “Exploitation is facilitated by bypassing previous patches for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856.”

Apache OFBiz, originally named Open for Business, is a Java-based ERP web application and development framework that offers modules for managing business processes such as accounting, HR, supply chain management, product catalog management, customer relationship management (CRM), manufacturing, e-commerce and more. The framework underpinning it can also be used to build additional custom applications and features.

The software is used globally and across many industries, but it’s unclear how many organizations have Apache OFBiz since many uses it internally. Based on public data, its users include large companies such as IBM, HP, Accenture, United Airlines, Home Depot, and Upwork. Some third-party commercial applications like Atlassian JIRA also use OFBiz modules.

Fragmenting the controller-view map state

The root cause for CVE-2024-45195 and the previous three related flaws are incorrect or insufficient authorization checks for authenticated view maps because the state between the called controller and the accessed view map is corrupted.

This happens because the application uses different methods to parse URIs — one to get the controller, one to get the view map — so attackers accessing a controller that doesn’t require authentication could craft URIs that pass controller authorization but request a view map that is only supposed to be accessible to admins.

The Apache OFBiz developers have described some of the flaws stemming from this issue as path traversals, but Emmons calls the condition a controller-view map state fragmentation.

“When unexpected URI patterns are sent to the application, the state of the application’s current controller and view map is fragmented,” the researcher said. “An attacker can confuse the implemented logic to fetch and interact with an authenticated view map via an unauthenticated controller. When this happens, only the controller authorization checks will be performed, which the attacker can use to access admin-only view maps that do things like execute SQL queries or code.”

Bypassing previous fixes

When CVE-2024-32113 was first found and reported in May, it targeted a view map called “ProgramExport” that could execute Groovy scripts. The developers responded by taking a blacklist approach and tried to implement blocks for URI patterns like those used in the exploit.

Blacklist approaches are rarely comprehensive, so researchers found other URI patterns by using character encoding that bypassed those checks. This was shown in CVE-2024-36104, reported in June. The developers again responded by adding more filters to remove special encoded characters from URIs.

In August, researchers from SonicWall showed that using URIs with special characters like periods or semicolons — which the previous exploits did — is not really needed to trigger the state fragmentation and access the dangerous view maps. This new bypass is tracked as CVE-2024-38856 and the developers changed their strategy and fixed it by adding permission checks for the ProgramExport and EntitySQLProcessor view maps that were targeted by the exploits until then.

However, Emmons now found a different view map to abuse called XmlDsDump which can be used to query the underlying database for any data and then write the results in an arbitrary named file anywhere on disk. This data could be password hashes for users that are defined in the system and those hashes could be cracked.

The researcher took it a step further by combining it with a script present in the system called ViewDataFile.groovy that could write files to disk from requests and used it to write a web shell that then allowed remote code execution on the server.

In response to this flaw the OFBiz developers implemented a more comprehensive fix that changes the way authorization is checked for view maps and no longer relies on authorization checks just for the target controller.

“This release introduces a new permission check for view-maps and changes defaults for request-maps,” the developers said in the release notes. “In particular, an additional view-map parameter, ‘auth’, has been added with the default set to ‘true.’ The defaults for the request-map parameters ‘https’ and ‘auth’ were also changed to ‘true’. Please note that these are changes that may have an impact on custom applications, and you’ll need to set auth=”false” for all your custom views that are intended to be accessible to anonymous users.”

Patch to avoid exploitation

Apache OFBiz vulnerabilities are attractive to attackers and have been exploited soon after their public disclosure. The US Cybersecurity and Infrastructure Security Agency (CISA) currently lists CVE-2024-32113 and CVE-2024-38856 in its Known Exploited Vulnerabilities (KEV) catalog, but there is third-party evidence that other flaws have been targeted as well, for example, CVE-2023-51467, a critical OFBiz vulnerability patched in December 2023. Patch it by downloading the Apache OFBiz version 18.12.16