Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability

Vulnerability

Apache OFBiz versions before 18.12.11 are vulnerable to pre-authentication remote code execution (RCE) due to missing authentication checks. The bug resides in the login handling code where direct null checks on username, password, and token were replaced with UtilValidate.isEmpty() method calls for consistency [4]. This change inadvertently allows attackers to bypass authentication by providing empty or null values, leading to a server-side request forgery (SSRF) that can be leveraged for RCE [1][3]. The affected versions include 18.12.10, 22.01.01, and the upcoming branch [4].

Exploitation

An attacker can exploit this vulnerability without any authentication or prior access. By sending crafted HTTP requests to the OFBiz login endpoint with empty or null username/password fields, the authentication bypass triggers an SSRF [3]. The attacker can then use the SSRF to interact with internal services and achieve remote code execution. No user interaction or special network position is required beyond reachability of the OFBiz instance.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary code on the server with the privileges of the OFBiz process, typically leading to full compromise of the application and underlying system. This includes disclosure of sensitive data, modification of data, and potential lateral movement within the network.

Mitigation

Apache OFBiz users should upgrade to version 18.12.11 or later, which was released on 2023-12-26 and contains the fix [2][3]. The project highly recommends using the latest stable release to minimize security risks [2]. No workarounds are documented; upgrading is the only mitigation. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the update.