- A critical vulnerability in Apache OFBiz was hit with a surge in exploitation attempts in recent weeks, which could allow attackers to take control of affected systems and launch supply chain attacks, according to researchers from SonicWall.
- Apache OFBiz is an open source enterprise resource system that is used in a wide range of software, including Atlassian Jira, which is used by more than 120,000 companies. "Jira uses a customized OFBiz Entity Engine that does not implement the vulnerable framework module," a spokesperson for Atlassian told Cybersecurity Dive via email.
- The authentication bypass vulnerability, listed as CVE-2023-51467, has a CVSS score of 9.8 and could expose sensitive data or allow an unauthenticated attacker to execute arbitrary code.
Researchers from SonicWall Capture Labs discovered the vulnerability while conducting research on a prior Apache vulnerability, CVE-2023-49070.
A patch designed to fix the prior vulnerability, however, did not fully resolve the issue and the ability to bypass authentication measures still remained. The patch removed XML-RPC code, but allowed the vulnerability to remain.
“We have seen a large increase in exploitation attempts of this vulnerability since the public release of the information,” said Douglas McKee, executive director of threat research at SonicWall, said via email.
Late last month, researchers from Shadowserver said they observed scanning using a published proof of concept for CVE-2023-49070, which began in early December.
SonicWall said Apache OfBiz users should immediately upgrade to at least version 18.12.11. Researchers have also developed an IPS signature — IPS:15949 — to detect active exploitation activity for the vulnerability.
The Apache Security Response Team has no first hand information about exploitation activity, but it is urging companies to assess the potential impact and immediately upgrade to the new version.
Users should also employ best practices, including only exposing the system to users that need it and employing a regular update regime, according to a spokesperson.
Editor’s note: This article has been updated to include a statement from Atlassian.