Attackers are targeting a critical authentication bypass vulnerability in the Apache OFBiz open-source ERP platform, which is included in a number of third-party applications.
Apache released a fix for the vulnerability (CVE-2023-51467) in December after researchers at SonicWall discovered the bug and disclosed it to the maintainers. In the days since the fix was made available, attackers have been attempting to exploit the vulnerability, and SonciWall’s data shows more than 4,000 exploit attempts per day since the beginning of January. GreyNoise data also shows malicious exploit attempts against this vulnerability in recent days.
The vulnerability itself is related to an earlier bug (CVE-2023-49070) and the SonicWall researchers uncovered it after trying to discover the root cause of the older flaw.
“We were intrigued by the chosen mitigation when analyzing the patch for CVE-2023-49070 and suspected the real authentication bypass would still be present since the patch simply removed the XML RPC code from the application. As a result, we decided to dig into the code to figure out the root cause of the auth-bypass issue. As anticipated, the root issue was in the login functionality,” the Hasib Vhora, a senior threat researcher at SonicWall, wrote in a post analyzing the bug.
The OFBiz app is a Java-based framework that includes CRM and ERP functionality. The framework is included in other apps, notably Atlassian’s JIRA, a widely deployed system for issue and project tracking.
“As a result, like with many supply chain libraries, the impact of this vulnerability could be severe if leveraged by threat actors. Our research demonstrates that this flaw could lead to the exposure of sensitive information or even the ability to execute arbitrary code,” Vhora said.
Organizations that are still using a vulnerable version of the OFBiz application should upgrade to version 18.12.11 as soon as possible.