Apache OfBiz ERP System critical flaw reported
Take action: If you are using Apache OfBiz, lock down access from the internet, then patch ASAP. The vulnerability is almost trivial to exploit and automated attacks have already started. Do your part not to get hacked.
Learn More
A critical zero-day security vulnerability, tracked as CVE-2023-51467 (CVSS3 score 9.8), has been identified in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system. This flaw enables attackers to bypass authentication protections. The vulnerability is linked to an inadequately addressed issue from a previous critical flaw, CVE-2023-49070 and allowed for pre-authenticated remote code execution. This earlier flaw, stemming from a deprecated XML-RPC component in Apache OfBiz versions before 18.12.10, could grant unauthorized users complete control over the server and access to sensitive data.
The current flaw, CVE-2023-51467 occurs due to a patch for CVE-2023-49070 that did not fully resolve the underlying issue, leaving an authentication bypass vulnerability. Attackers can exploit CVE-2023-51467 by sending an HTTP request with empty or invalid USERNAME and PASSWORD parameters, which tricks the system into returning a success message for authentication. This vulnerability is further compounded when the "requirePasswordChange" parameter in the URL is set to "Y", enabling easy bypass of authentication regardless of username and password values. This flaw could lead to a simple Server-Side Request Forgery (SSRF).
Users of Apache OfBiz are urged to update their systems to version 18.12.11 or later to safeguard against potential threats posed by this zero-day vulnerability.
