Apache OFBiz Remote Code Execution Vulnerability (CVE-2023-51467)

Dec 29, 2023 GMT+08:00

I. Overview

Recently, Apache OFBiz has released a major remote code execution vulnerability (CVE-2023-51467) in Apache OFBiz versions earlier than 18.12.11. Malicious requests can skip authentication and run groovy code through background interfaces. This vulnerability allows remote code execution. The POC of this vulnerability has been disclosed and the risk is high.

The new version of Apache OFBiz has also fixed an arbitrary file property reading and Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-50968). Attackers can trigger the vulnerability when invoking URIs without authorization. Successful exploitation of the vulnerability can cause sensitive information leakage or arbitrary code execution.

Apache OFBiz is an open source enterprise resource planning (ERP) system. If you are an Apache OFBiz user, check your versions and implement timely security hardening.

Reference

https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv

https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache:OFBiz < 18.12.11

Secure versions:

Apache:OFBiz 18.12.11

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://ofbiz.apache.org/download.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.