Apache OfBiz: Vulnerability enables code smuggling

There are two security gaps in the enterprise resource planning software (ERP) Apache OfBiz that could allow attackers to infiltrate malicious code. An updated version of the software fixes the vulnerabilities.

The more serious vulnerability only narrowly misses out on being classified as a critical risk. According to the brief description, attackers can bypass the same-site restrictions and redirect to other targets using URL parameters. The problem is based on insufficient control of generated code in conjunction with cross-site request forgery (CSRF) and insufficient filtering of elements in the OfBiz template engine(CVE-2024-48962, CVSS 8.9, risk"high").

Two vulnerabilities jeopardize Apache OfBiz

The vulnerability with the CVE number CVE-2024-47208 has not yet received a concrete classification according to the CVSS scale. "URLs allow the use of groovy expressions, which leads to the execution of code from the network," is how the developers describe the vulnerability. They classify the vulnerability as server-side request forgery (SSRF) and insufficient monitoring during code generation ("code injection") and classify it as "important".

The CERT-Bund of the German Federal Office for Information Security (BSI) even classifies the vulnerabilities as critical and gives them a CVSS value of 9.8 (risk critical). Both vulnerabilities affect Apache OfBiz prior to the current version 18.12.17. These or newer versions correct these security-relevant errors in the business software. The developers recommend that users update to this version.

In August, the US IT security authority CISA warned that attacks on security vulnerabilities in Apache OfBiz had been observed in the wild. The software is therefore apparently on the list of worthwhile targets for cyber criminals. IT managers should therefore not postpone the update, but apply it promptly.

(dmk)