Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system, has fallen prey to a newly unearthed zero-day security vulnerability. This flaw, identified as CVE-2023-51467, resides within the login functionality of the system, creating a potential avenue for threat actors to exploit and bypass authentication safeguards.
CVE-2023-51467 in Detail
The root of the issue can be traced back to an incomplete patch for a previously critical vulnerability, CVE-2023-49070, with a high CVSS score of 9.8. Despite efforts to address CVE-2023-49070 earlier in the month, security measures taken inadvertently left the door open for an authentication bypass, subsequently leading to the discovery of CVE-2023-51467. The SonicWall Capture Labs threat research team, responsible for uncovering this flaw, revealed that the incomplete patching of CVE-2023-49070 allowed the persistence of the root issue, facilitating the authentication bypass.
CVE-2023-49070, a pre-authenticated remote code execution flaw affecting versions preceding 18.12.10, poses severe risks by granting threat actors full control over the server and the potential extraction of sensitive data. The flaw stems from a deprecated XML-RPC component within Apache OFBiz.
SonicWall has outlined the exploit mechanism for CVE-2023-51467, stating that it can be triggered by submitting HTTP requests with empty or invalid USERNAME and PASSWORD parameters. This action prompts an authentication success message, effectively circumventing protection and providing unauthorized access to internal resources. The success of the attack relies on the parameter “requirePasswordChange” being set to “Y” in the URL, allowing for a straightforward authentication bypass, irrespective of the values entered in the username and password fields.
Described as enabling a Server-Side Request Forgery (SSRF), the flaw allows attackers to bypass authentication, posing a significant threat to the security of Apache OFBiz instances.
Update Is Crucial
In response to these vulnerabilities, users are strongly advised to update their Apache OFBiz installations to version 18.12.11 or later promptly. The urgency is emphasized by the Shadowserver Foundation, which has noted a surge in exploit attempts targeting CVE-2023-49070.