SonicWall researchers said they have been observing thousands of daily attempts to exploit a critical vulnerability in the Apache OFBiz (Open For Business) system for nearly two weeks.
Tracked as CVE-2023-51467, the vulnerability is an authentication bypass flaw, which, if exploited, would allow a remote hacker to circumvent authentication processes, enabling them to remotely execute arbitrary code. The flaw was first disclosed in December 2023, and since then, attackers have been relentless in their efforts to exploit it.
OFBiz, with its wide install base, has become a prime target for malicious actors seeking to compromise the security of organizations relying on the open-source ERP system. Notably, Apache OFBiz is extensively used in various software applications, including Atlassian Jira, which is utilized by more than 120,000 companies.
Security researchers from The ShadowServer Foundation reported last month that they observed a surge in scanning activities using a published proof of concept for CVE-2023-49070, a pre-authenticated Remote Code Execution (RCE) flaw in Apache OFBiz. The flaw exists due to the presence of an unmaintained XML-RPC interface, which can be abused by a remote hacker to compromise the affected system. It was addressed in OFBiz version 18.12.10, released on December 5, 2023.
Apache OFBiz users are strongly advised to upgrade their systems to at least version 18.12.11. SonicWall researchers developed an Intrusion Prevention System (IPS) signature, IPS:15949, specifically designed to detect and thwart active exploitation attempts targeting the identified vulnerability.
Separately, Shadowserver has warned of a rise in scanning and exploitation attempts against Apache RocketMQ services vulnerable to a remote command execution flaw identified as CVE-2023-33246 and CVE-2023-37582.
