Apache OFBiz zero-day pummeled by exploit attempts after disclosure

SonicWall says it has observed thousands of daily attempts to exploit an Apache OFBiz zero-day for nearly a fortnight.

The near-maximum severity zero-day vuln in OfBiz, an open source ERP system with what researchers described as a surprisingly wide install base, was first disclosed on December 26. Since then, attackers have gone for it with large numbers of exploitation attempts.

The numbers have remained consistent since the turn of the new year, SonicWall confirmed to The Register today.

If you use the Apache Software Foundation framework, which includes business process automation apps and other enterprise-friendly functions, you should upgrade to OFBiz version 18.12.11 immediately to patch both this and a second, equally serious hole.

Tracked as CVE-2023-51467, the 9.8-rated vulnerability is an authentication bypass flaw. A successful exploit of it would let an attacker circumvent authentication processes, enabling them to remotely execute arbitrary code, meaning they can access and expose sensitive information.

The threat researchers said they found the flaw while investigating the root cause of the other flaw, a separate, equally severe authentication bypass RCE vulnerability tracked as CVE-2023-49070.

Apache’s patch for the ‘070 bug involved removing the code for the XML-RPC API, which was no longer maintained, but further analysis from SonicWall revealed the root cause to be in the login functionality.

Failing to patch the root cause of CVE-2023-49070 meant the authentication bypass vulnerability, currently under widespread exploitation, still remained in OFBiz.

Apache OFBiz is believed to have a large number of users, with SonicWall noting Atlassian’s Jira alone is relied upon by more than 120,000 companies. Atlassian customer support, however, has since said Jira’s implementation isn’t vulnerable.

“We have contacted Prodsec, looking at the code in Jira DC, Jira Cloud, Confluence DC, and Confluence Cloud to confirm that we are not using the vulnerable framework. Jira only uses a fork of Apache’s OfBiz Entity Engine module, which does not include the affected areas of code. Additionally, Confluence does not use the Entity Engine module at all.”

SonicWall researchers developed two test cases that showed how exploitation of the issue was possible.

The blog post by Hasib Vhora, senior threat researcher at SonicWall, goes into the finer details about the two test cases, but the main takeaway is that the authentication bypass is caused by unexpected behavior when the requirePasswordChange parameter of the login function is set to “Y” in the URI.

Vhora commended the response of the Apache OFBiz team, fixing the problem swiftly. The two test cases developed by SonicWall have been used against the patched version (18.12.11) and are no longer successful.

“We appreciate the prompt response and remediation by the Apache OFBiz team,” Vhora said. “They demonstrated extreme care for the security of their customers and were a pleasure to work with.” ®

READ MORE HERE