Multi security vulnerabilities was found on Apache OFBiz

CVE-2022-25371

The Apache OFBiz team has recently patched several security vulnerabilities in Apache OFBiz, one of which could allow an attacker to execute malicious code on affected servers remotely.

OFBiz is a Java-based web framework for automating enterprise processes and offers a wide range of functionality, including accounting, customer relationship management, manufacturing operations management, order management, supply chain fulfillment, and warehouse management system, among others.

CVE-2022-25371

Tracked as CVE-2022-25813, the flaw affects all versions of the software prior to 18.12.06 and is caused by a server-side template injection flaw in the ecommerce plugin. By sending specially-crafted content in a message “Subject” field from the “Contact us” page, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Tracked as CVE-2022-29158, Apache OFBiz is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the handling of URLs. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. The bug affects Apache OFBiz up to version 18.12.05.

Tracked as CVE-2022-29063, the flaw affects all versions of the software prior to 18.12.06 and is configured by default to automatically make an RMI request on localhost, port 1099. By sending a specially-crafted RMI Connection request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

OFBiz versions prior to 18.12.06 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Birt viewer. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. The flaw is tracked as CVE-2022-25370 and has high severity.

Tracked as CVE-2022-25371, Apache OFBiz could allow a remote attacker to traverse directories on the system, caused by a flaw in the Birt viewer. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to execute arbitrary code on the system. CVE-2022-25371 affects OFBiz versions prior to 18.12.06.

Matei “Mal” Badanoiu, Tony Torralba, and Joseph Farebrother from the GitHub CodeQL team, Matei “Mal” Badanoiu, npodotykin@ptsecurity.com have been credited with reporting the vulnerability.

Administrators are strongly recommended to apply the software updates (version 18.12.06) as soon as possible and are advised to allow only trusted users to have network access as well as monitor affected systems.

The researchers have not detected any incident of the exploitation of one of these Apache OFBiz vulnerabilities in the wild.