There is news that there is a critical security vulnerability in OFBiz (Open For Business) software. OFBiz is a suite of business applications for CRM and ERP, and also functions as a Java-based web framework. The vulnerability, identified as CVE-2024-45195 with a CVSS score of 7.5, affects all versions of the software before 18.12.16.
According to Rapid7 security researcher Ryan Emmons, the flaw allows an attacker without valid credentials to exploit missing view authorization checks in a Apache based web application, enabling them to execute arbitrary code on the server.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“The series of interrelated vulnerabilities, reportedly bypassing previous patches, likely has users frustrated. Patching is time-consuming and most often leads to a short outage, which in many cases is unacceptable for those who must maintain 5-nines or better.
“This endless cycle of applying a patch, then a new vulnerability is discovered, then yet another round of patching is likely contributing to organizations waiting to patch, which ultimately increases the likelihood of exploitation and subsequent breaches.
“What’s urgently needed is an entirely new class of solution for organizations that can’t immediately apply patches.”
Evan Dornbush, a former NSA cybersecurity expert offers additional comments:
“Rapid7’s research here is impressive and commendable. While the OFBiz team had previously released a series of patches to address symptoms, Ryan Emmons’ creativity appears to tackle the root cause, effectively closing the gap in software critical to business operations.
“It’s encouraging to see how the ingenuity of the research community drives meaningful improvements in software security. This work highlights the criticality of fostering a vibrant research community that can continue to contribute to the improvement of the ecosystem. By leveraging the collective mindshare of researchers, vendors and system owners can more effectively identify and mitigate emerging threats.”
This is one of those times where if you use this software, you should install patches to address this ASAP. Because it’s safe to assume that threat actors will be exploiting this vulnerability now that this is out there.
Critical Vulnerability In OFBiz Software Allows Arbitrary Code Execution
Posted in Commentary with tags Hacked on September 7, 2024 by itnerdThere is news that there is a critical security vulnerability in OFBiz (Open For Business) software. OFBiz is a suite of business applications for CRM and ERP, and also functions as a Java-based web framework. The vulnerability, identified as CVE-2024-45195 with a CVSS score of 7.5, affects all versions of the software before 18.12.16.
According to Rapid7 security researcher Ryan Emmons, the flaw allows an attacker without valid credentials to exploit missing view authorization checks in a Apache based web application, enabling them to execute arbitrary code on the server.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“The series of interrelated vulnerabilities, reportedly bypassing previous patches, likely has users frustrated. Patching is time-consuming and most often leads to a short outage, which in many cases is unacceptable for those who must maintain 5-nines or better.
“This endless cycle of applying a patch, then a new vulnerability is discovered, then yet another round of patching is likely contributing to organizations waiting to patch, which ultimately increases the likelihood of exploitation and subsequent breaches.
“What’s urgently needed is an entirely new class of solution for organizations that can’t immediately apply patches.”
Evan Dornbush, a former NSA cybersecurity expert offers additional comments:
“Rapid7’s research here is impressive and commendable. While the OFBiz team had previously released a series of patches to address symptoms, Ryan Emmons’ creativity appears to tackle the root cause, effectively closing the gap in software critical to business operations.
“It’s encouraging to see how the ingenuity of the research community drives meaningful improvements in software security. This work highlights the criticality of fostering a vibrant research community that can continue to contribute to the improvement of the ecosystem. By leveraging the collective mindshare of researchers, vendors and system owners can more effectively identify and mitigate emerging threats.”
This is one of those times where if you use this software, you should install patches to address this ASAP. Because it’s safe to assume that threat actors will be exploiting this vulnerability now that this is out there.
Leave a comment »