Apache this week announced a security update for the open source enterprise resource planning (ERP) system OFBiz, to address two vulnerabilities, including a bypass of patches for two exploited flaws.

The bypass, tracked as CVE-2024-45195, is described as a missing view authorization check in the web application, which allows unauthenticated, remote attackers to execute code on the server. Both Linux and Windows systems are affected, Rapid7 warns.

According to the cybersecurity firm, the bug is related to three recently addressed remote code execution (RCE) flaws in Apache OFBiz (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856), including two that are known to have been exploited in the wild.

Rapid7, which identified and reported the patch bypass, says that the three vulnerabilities are, in essence, the same security defect, as they have the same root cause.

Disclosed in early May, CVE-2024-32113 was described as a path traversal that allowed an attacker to “interact with an authenticated view map via an unauthenticated controller” and access admin-only view maps to execute SQL queries or code. Exploitation attempts were seen in July. 

The second flaw, CVE-2024-36104, was disclosed in early June, also described as a path traversal. It was addressed with the removal of semicolons and URL-encoded periods from the URI.

In early August, Apache drew attention to CVE-2024-38856, described as an incorrect authorization security defect that could lead to code execution. In late August, the US cyber defense agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog.

All three issues, Rapid7 says, are rooted in controller-view map state fragmentation, which occurs when the application receives unexpected URI patterns. The payload for CVE-2024-38856 works for systems affected by CVE-2024-32113 and CVE-2024-36104, “since the root cause is the same for all three”.

The bug was addressed with permission checks for two view maps targeted by previous exploits, preventing the known exploit techniques, but without resolving the underlying cause, namely “the ability to fragment the controller-view map state”.

“All three of the previous vulnerabilities were caused by the same shared underlying issue, the ability to desynchronize the controller and view map state. That flaw was not fully addressed by any of the patches,” Rapid7 explains.

The cybersecurity firm targeted another view map to exploit the software without authentication and attempt to dump “usernames, passwords, and credit card numbers stored by Apache OFBiz” to an internet-accessible folder.

Apache OFBiz version 18.12.16 was released this week to resolve the vulnerability by implementing additional authorization checks.

“This change validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller,” Rapid7 explains.

The OFBiz security update also addresses CVE-2024-45507, described as a server-side request forgery (SSRF) and code injection flaw.

Users are advised to update to Apache OFBiz 18.12.16 as soon as possible, considering that threat actors are targeting vulnerable installations in the wild.

Related: Apache HugeGraph Vulnerability Exploited in Wild

Related: Critical Apache OFBiz Vulnerability in Attacker Crosshairs

Related: Misconfigured Apache Airflow Instances Expose Sensitive Information

Related: Remote Code Execution Vulnerability Patched in Apache OFBiz