CVE-2023-51467 & CVE-2023-50968: Critical Security Vulnerabilities in Apache OFBiz

Apache OFBiz offers a comprehensive suite of tools for ERP, CRM, E-Commerce, and more. Hailed for its open-source nature and part of the esteemed Apache Software Foundation, OFBiz has been a top choice for enterprises seeking reliable and scalable solutions. However, the digital landscape is ever-evolving, and with it comes the challenge of maintaining robust security. Recently, two significant vulnerabilities have come to light within Apache OFBiz, posing serious risks to its users.

CVE-2023-50968: Arbitrary file properties reading and SSRF attack

Labeled as ‘important‘ in severity, tracked as CVE-2023-50968, the vulnerability allows for arbitrary file properties reading – a technical term for unauthorized snooping into file details. Worse still, it opens the door for Server-Side Request Forgery (SSRF) attacks, where attackers can trick the server into making rogue requests. This flaw was unveiled by the security researcher Yun Peng.

Versions up to 18.12.10 of Apache OFBiz are vulnerable. A swift upgrade to version 18.12.11, fortifies the system against this threat.

CVE-2023-51467: Pre-authentication Remote Code Execution (RCE) vulnerability

Marked as ‘critical‘, tracked as CVE-2023-51467, the pre-authentication remote code execution (RCE) vulnerability allows attackers to sidestep authentication barriers, potentially taking control of the system. The discovery of this alarming vulnerability is credited to the combined efforts of Hasib Vhora, a senior threat researcher at SonicWall, Gao Tian, and L0ne1y.

Any version of Apache OFBiz before 18.12.11 is at risk. The solution is clear and non-negotiable – an update to version 18.12.11 is imperative for security.

For businesses relying on Apache OFBiz, updating to version 18.12.11 is not just a recommendation – it’s a necessity for safeguarding their digital assets.