Recent developments in cybersecurity reveal a critical vulnerability affecting the Apache OfBiz open-source Enterprise Resource Planning (ERP) system. Researchers at VulnCheck have successfully created proof-of-concept (PoC) code exploiting the flaw, identified as CVE-2023-51467. This vulnerability, which carries a CVSS score of 9.8, allows attackers to execute a memory-resident payload, potentially leading to severe security breaches.
The flaw specifically enables exploitation methods that provide a means to bypass existing authentication mechanisms and execute arbitrary code remotely. This reflects a serious escalation from a related vulnerability, CVE-2023-49070, also rated at 9.8. While the Apache Software Foundation addressed these vulnerabilities in the release of Apache OFbiz version 18.12.11, threat actors have been observed actively targeting unpatched versions.
The threat landscape is further complicated by VulnCheck’s findings, indicating that CVE-2023-51467 can execute payloads directly from memory, minimizing the traceability of malicious actions. This raises concerns for organizations utilizing this ERP system, as the vulnerability not only endangers operational integrity but also augments existing exploitation attempts.
Previous security vulnerabilities within Apache OFBiz, such as CVE-2020-9496, have already been exploited by threat actors, including those linked to the Sysrv botnet. Additionally, attempts to exploit a three-year-old vulnerability, CVE-2021-29200, have been observed, with data from GreyNoise indicating activity from 29 unique IP addresses in the past month alone.
In a historical context, Apache OFBiz was among the early targets for exploitation following the public disclosure of the Log4Shell vulnerability (CVE-2021-44228), demonstrating its attraction to both cyber defenders and attackers. The exploits associated with CVE-2023-51467 include a publicly identified remote code execution endpoint and associated PoC for command execution, surfacing shortly after the vulnerability’s exposure.
Despite security measures, such as the Groovy sandbox intended to block the uploading of arbitrary web shells, the inadequacies of the sandbox may still permit attackers to execute curl commands, potentially gaining a reverse shell on Linux systems. This discovery indicates a pressing need for organizations to review and implement stronger security protocols in their ERP systems.
VulnCheck’s CTO Jacob Baines noted that while the public discourse around CVE-2023-51467 is escalating, the reality is that effective exploitation through in-memory code execution is indeed feasible. The research team has developed a cross-platform exploit running on both Windows and Linux that employs groovy.util.Eval functions to achieve stealthy execution.
The implications of this situation require urgent attention from businesses utilizing Apache OfBiz, especially given the potential for serious exploitation. The combination of this emerging threat landscape and existing vulnerabilities necessitates a proactive approach to cybersecurity within the enterprise sector.
