Critical Apache OFBiz Zero-day AuthBiz (CVE-2023-49070 and CVE-2023-51467)
Cybersecurity researchers have identified a critical authentication bypass vulnerability in the Apache OFBiz Enterprise Resource Planning (ERP) system, designated as CVE-2023-51467, with a CVSS score of 9.8. This vulnerability is due to an incomplete patch for a previously disclosed Pre-auth Remote Code Execution (RCE) vulnerability, CVE-2023-49070. Attackers have exploited this flaw on a large scale, given the system's extensive installation base. An authentication bypass vulnerability allows attackers to gain unauthorized access to a system without proper credentials. In Apache OFBiz, CVE-2023-51467 resulted from an incomplete patch that left alternative endpoints open to exploitation. Virtual patching is highlighted as a critical measure to address such vulnerabilities when traditional patches are insufficient. CVE-2023-51467 is critical, with a CVSS v3.x base score of 9.8, and is exploitable by remote, unauthenticated attackers. CVE-2023-49070 also has a critical rating with the same CVSS score, exposing a flaw in the XML-RPC code handling password change parameters. Researchers have developed proof-of-concept (PoC) exploit code for CVE-2023-51467, demonstrating its severity through two test cases that successfully bypass authentication. This vulnerability also opens the possibility for Server-Side Request Forgery (SSRF) exploits. To mitigate these risks, it is recommended to upgrade to the latest release of Apache OFBiz, version 18.12.11, and review the Apache Security Advisory for the latest updates. Versions 18.12.10 and below are impacted by CVE-2023-51467, while versions 18.12.9 and below are affected by CVE-2023-49070. CVEs: CVE-2023-50164, CVE-2023-46604, CVE-2023-49070, CVE-2023-51467 [View Article](https://www.indusface.com/blog/apache-ofbiz-0-day/)