CVE-2023-49070: Critical Pre-auth RCE Vulnerability Discovered in Apache OFBiz
Apache OFBiz is a popular open-source enterprise resource planning (ERP) software that provides a comprehensive suite of business applications for various industries. Recently, a critical vulnerability, designated as CVE-2023-49070, has been discovered in Apache OFBiz, affecting versions before 18.12.10. This vulnerability poses a severe security risk, allowing unauthenticated remote code execution (RCE) on affected systems.
Understanding the Vulnerability
The vulnerability stems from the presence of a no-longer-maintained XML-RPC component within Apache OFBiz. XML-RPC is a remote procedure call protocol that enables communication between applications over XML. While XML-RPC was once widely used, it has been deprecated due to security concerns. The presence of this outdated component in Apache OFBiz introduces a critical vulnerability.
Exploitation and Impact
By exploiting the CVE-2023-49070 vulnerability, an attacker can execute arbitrary code on the affected Apache OFBiz server without requiring any prior authentication. This grants the attacker complete control over the server, allowing them to steal sensitive data, disrupt operations, or even launch further attacks against the organization’s network.
Security researcher Siebene has been credited for finding this flaw. Also, Siebene published a proof-of-concept.
#CVE-2023-49070
Pre-auth RCE Apache Ofbiz 18.12.09#POC:
/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Ycc to me. pic.twitter.com/SHOkhzlH09
— Siebene@ (@Siebene7) December 5, 2023
Affected Versions and Mitigation
Apache OFBiz versions before 18.12.10 are vulnerable to this RCE flaw. To mitigate the risk, organizations are strongly advised to upgrade to Apache OFBiz version 18.12.10 immediately. Upgrading to the latest version will remove the vulnerable XML-RPC component and eliminate the RCE risk.