Fixing Authentication Bypass Vulnerabilities in Apache OfBiz- CVE-2023-49070 & CVE-2023-51467

The SonicWall Capture Labs threat research team recently published findings about a critical authentication bypass vulnerability in Apache OFBiz tracked as CVE-2023-51467. Apache OFBiz is an open-source Enterprise Resource Planning (ERP) system used by companies worldwide for inventory, accounting, HR functions. Disclosed on December 26th 2023, this zero-day flaw carries a severity score of 9.8 out of 10 on the CVSS scale, allowing remote unauthenticated attackers to bypass login and security checks to access sensitive data or execute arbitrary code.

Given Apache OFBiz's wide adoption across over 120,000 organizations and use in IT infrastructure, this vulnerability poses extreme risk if exploited by threat actors before patching. Successful exploitation enables obtaining confidential corporate data, manipulating business processes, and lateral movement across networks by compromising OFBiz servers. In this blog, we provide an in-depth analysis of CVE-2023-51467 based on SonicWall's research, evaluate how this authentication bypass works, understand implications for companies running Apache OFBiz, and review necessary remediation measures involving upgrading software and additional controls to mitigate risks introduced.

What is Apache OFBiz?

Apache OFBiz is an open source ERP system written in Java and released under the Apache license. It provides a suite of business tools for companies to manage operations. According to Atlassian, over 120,000 companies worldwide use their JIRA product which integrates Apache OFBiz components for inventory and order management.

Authentication Bypass Vulnerabilities Explained

Authentication bypass vulnerabilities allow attackers to bypass login or authentication checks and access protected data and functionality. They are considered critical risks in web applications and remote services.

In the case of Apache OFBiz, the authentication bypass flaws allowed remote unauthenticated arbitrary code execution and access to sensitive data on servers running the platform. This means anyone could remotely run commands and access confidential data without needing login credentials.

Overview of Disclosed Vulnerabilities

Two major authentication bypass vulnerabilities have recently been disclosed in Apache OFBiz by the SonicWall Capture Labs research team - CVE-2023-49070 and the more severe CVE-2023-51467.

CVE-2023-49070

This vulnerability with a CVSS v3.x score of 9.8 (critical severity) was disclosed on December 5, 2023.

It allowed bypassing authentication checks due to flawed logic in handling password change parameters in XML-RPC code. Remote unauthenticated attackers could leverage this to achieve remote code execution on vulnerable OFBiz servers.

While initially mitigated by removing vulnerable XML-RPC code, it highlighted deeper authentication flaws that led to CVE-2023-51467 disclosure later.

CVE-2023-51467

Disclosed on December 26, 2023 after further analysis into root causes of authentication weaknesses, this vulnerability also has a CVSS v3.x rating of 9.8 out of 10.

By manipulating request parameters, remote unauthenticated attackers could exploit it to completely bypass OFBiz's authentication and authorization checks. This enabled compromising confidential data as well as uploading malicious scripts for remote code execution.

This represented the core authentication weakness that manifested as an exploit through the XML-RPC vector earlier in CVE-2023-49070. It allows reliable exploitation of OFBiz servers irrespective of XML-RPC being disabled.

Both flaws require urgent patching and installing or upgrading to newer OFBiz releases to mitigate widespread risk introduced for its numerous users. We next analyze the technical workings of these vulnerabilities.

Technical Analysis

Upon analyzing the authentication logic, researchers found flaws that enabled bypassing login checks in certain scenarios.

How CVE-2023-49070 Works

This vulnerability concerned an authentication bypass related to the deprecated XML-RPC interface in OFBiz. Specifically the logic checked for a

requirePasswordChange

parameter and would return

requirePasswordChange

even with empty or invalid credentials. This allowed the later authentication check to be skipped.

By sending requests with empty credentials but setting

requirePasswordChange=Y

, attackers could remotely execute commands.

How CVE-2023-51467 Works

After patching CVE-2023-49070 by removing XML-RPC code, researchers found the root authentication flaw still remained. Further analysis showed the login function did not properly check for empty/invalid usernames and passwords, allowing requirePasswordChange to trigger authentication bypass similar to CVE-2023-49070.

This enables server-side request forgery even for updated OFBiz versions by removing XML-RPC.

Comparing the Vulnerabilities

While CVE-2023-49070 concerned bypass via XML-RPC, CVE-2023-51467 showed an underlying authentication flaw that enabled bypass without XML-RPC as well.

In essence, CVE-2023-51467 represented the root cause that led to bypass in CVE-2023-49070 through XML-RPC. Removing XML-RPC mitigated the first vulnerability but the core issue remained unpatched until later.

Versions Affected

All versions of Apache OFBiz starting from branch 18.12 i.e. 18.12.x and lower are affected by these vulnerabilities prior to patching, Specifically:

CVE-2023-49070

CVE-2023-51467

So any organizations running instances on:

are exposed to critical authentication bypass risks until upgrading.

All versions below the 18.12 branch may also be vulnerable and upgrading to 18.12.11 is recommended after testing.

Bottom Line

The critical authentication vulnerabilities recently disclosed in Apache OFBiz require immediate attention and patching by companies using the platform given the immense risks posed.

While upgrading enterprise software like ERP systems involves planning and effort, leaving systems vulnerable to bypassing all login checks is extremely reckless. Within days of disclosure, threat actors could have devised exploitation toolkits putting data and infrastructure at risk across thousands of organizations integrated with Apache OFBiz.

The responsibility demonstrated by SonicWall Capture Labs researchers through coordinated disclosure as well as urgency by the Apache OFBiz team in releasing patched versions minimized exposure periods. On your side, applying the outlined upgrade procedures and additional security controls further reduces risks introduced.

In today's software supply chain age where our code pipelines are highly interconnected, vulnerabilities in integrated platforms establish backdoors spread across numerous endpoints. Proactively keeping all components upgraded hence becomes critical.

For Apache OFBiz consumers specifically in technologies like JIRA, unless patched immediately, dangerously vulnerable authentication means your servers and data could have been compromised despite protective measures through firewalls and network security. Do not let that be the case by upgrading to remediated releases.

As part of migrating, use the opportunity to also establish software upgrade processes and policies so exposures can be mitigated quicker in the future as well. With cyber attacks increasing, eliminating basic vulnerabilities like authentication bypass through updates and testing helps reduce your risk surface.

We hope this post helps you know how to fix Authentication Bypass Vulnerabilities in Apache OfBiz CVE-2023-49070 & CVE-2023-51467. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.