A critical Apache OFBiz pre-authentication remote code execution vulnerability is being actively exploited using public proof of concept exploits.
Apache OFBiz is an open-source enterprise resource planning system many businesses use for e-commerce inventory and order management, human resources operations, and accounting.
OFBiz is part of Atlassian JIRA, a commercial project management and issue-tracking software used by over 120,000 companies worldwide.
Any flaws in the open-source project are inherited by Atlassian's product.
This authentication bypass flaw is tracked as CVE-2023-49070 and was fixed in OFBiz version 18.12.10, released on December 5, 2023.
While investigating Apache's fix, which was to remove the XML-RPC code from OFBiz, SonicWall researchers discovered that the root cause for CVE-2023-49070 was still present.
This incomplete fix still allowed attackers to exploit the bug in a fully patched version of the software.
In a write-up published yesterday, SonicWall researchers demonstrate it's possible to bypass Apache's fix for the CVE-2023-49070 vulnerability when using specific credential combinations.
SonicWall reported their findings to the Apache team, who quickly resolved the flaw, which they categorized as a server-side request forgery problem.
The new bypass issue was assigned CVE-2023-51467 and was addressed in OFBiz version 18.12.11, released on December 26, 2023.
Not many have upgraded to this latest release yet, and the abundance of public PoCs exploits for the pre-auth RCE makes the flaw an easy target for hackers.
Threat monitoring service 'Shadowserver' reported today that it has detected quite a few scans that leverage public PoCs, attempting to exploit CVE-2023-49070.
Kijewski told BleepingComputer that current exploitation attempts are being conducted to find vulnerable servers by forcing them to connect to an oast.
Online URL. The researchers further said those scanning vulnerable servers are particularly interested in finding vulnerable Confluence servers.
Confluence servers are a popular target for threat actors as they commonly hold sensitive data that can be used to spread laterally on to further internal services or for extortion.
To minimize the risk, users of Apache OFBiz are recommended to upgrade to version 18.12.11 as soon as possible.
HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks.
Hackers are exploiting critical Apache Struts flaw using public PoC. Sophos backports RCE fix after attacks on unsupported firewalls.
Atlassian patches critical RCE flaws across multiple products.
3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 28 Dec 2023 16:25:13 +0000