CVE-2024-45507 Scanner

Apache OFBiz is an open-source enterprise resource planning (ERP) system used globally by organizations for resource management, CRM, and supply chain management. It is typically employed by businesses seeking customizable software solutions that integrate various business processes. The platform is used for operations like e-commerce, accounting, inventory management, and human resources. Its modular architecture allows for easy adaptation to industry-specific requirements, making it a popular choice among small to medium-sized enterprises seeking tailored ERP solutions. OFBiz is maintained by the Apache Software Foundation and offers extensive support through community and formal channels. The wide adoption of OFBiz makes its security a priority as vulnerabilities can potentially impact critical business operations globally.

The vulnerability in Apache OFBiz concerns Remote Code Execution (RCE), which allows attackers to execute arbitrary code on the server without authentication. This arises from missing view authorization checks within the web application, allowing unauthorized users to gain unfettered access to server-side scripts. The severity of this vulnerability is classified as critical due to the potential impact on data confidentiality, integrity, and availability. Exploiting this flaw could allow attackers to perform actions at the same level of privilege as the application, leading to data breaches or system compromise. Addressed by CVE-2024-45507, it highlights the essential need for employing robust authorization mechanisms in web applications.

The vulnerability is located in the StatsSinceStart view within the Apache OFBiz application and utilizes the StatsDecorator parameter. Attackers craft and send malicious XML payloads through this parameter, which are then processed by the server without proper checks. This specific endpoint fails to enforce authorization controls, allowing unauthorized users to execute code. The issue is exacerbated by its presence on both Windows and Linux platforms, significantly expanding the scope of affected installations. The vulnerability was identified through post requests aiming at the StatsDecoratorLocation, which when exploited, could allow injection of executable code remotely.

Exploitation of this vulnerability could have severe consequences for servers hosting Apache OFBiz. Successfully executing arbitrary code can lead to unauthorized data access, deletion, or modification, affecting the business's operations and its data's confidentiality and integrity. In a worst-case scenario, attackers could leverage this vulnerability to establish a persistent presence on the server, facilitating further attacks, data exfiltration, or disruption of services. It could also allow attackers to create additional backdoors, utilize the server resources for criminal purposes, and leverage the access to pivot further into the internal network.

REFERENCES

• https://xz.aliyun.com/t/15569
• https://x.com/chybeta/status/1833184898913636424
• https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy
• https://ofbiz.apache.org/download.html
• https://github.com/advisories/GHSA-w8w4-463p-8pg7
• https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2024-45507