SonicWall Detects Thousands of OFBiz Zero-Day Attempts

SonicWall has recorded thousands of daily attempts to exploit zero-day vulnerabilities in Apache OFBiz over nearly two weeks. The flaw was first publicized on December 26, leading to a significant increase in exploitation attempts.

Experts confirmed that the number of attacks remained stable since the beginning of 2024. Users of the Apache Software Foundation framework, which includes applications for business process automation and other enterprise functions, are advised to immediately update to OFBiz version 18.12.11. The update addresses both the specified vulnerability and a second, equally dangerous issue.

The vulnerability, CVE-2023-51467 (CVSS score: 9.8), identified in late December, is an authentication bypass error that allows an attacker to circumvent authentication processes and execute arbitrary code on a remote device, potentially leading to access to confidential information.

Researchers identified the issue during root cause analysis of another separate authentication bypass vulnerability with remote code execution (RCE) potential, designated as CVE-2023-49070 (CVSS score: 9.8).

Apache’s fix for the second vulnerability involved removing code for the XML-RPC API, which is no longer supported. However, further analysis by SonicWall revealed that the root cause lies in the login function. The failure to rectify the underlying cause of CVE-2023-49070 resulted in the authentication bypass vulnerability, which is currently widely exploited, remaining in OFBiz.

SonicWall researchers developed two Proof-of-Concept (PoC) exploits demonstrating the feasibility of exploiting the vulnerability. The primary reason for the exploit is that the authentication bypass is triggered by unexpected behavior when setting the requirePasswordChange parameter of the login function to “Y” in the URI. The Apache OFBiz team promptly rectified the issue, and the SonicWall PoC exploits, applied to the corrected version (18.12.11), were no longer effective.