PRP: Request Apache Ofbiz Authentication Bypass Leads to RCE (CVE-2023-51467)

[W0ngL1]

Hi there.

I would like to start implementing a plugin to detect Apache Ofbiz Authentication Bypass Leads to RCE (CVE-2023-51467). This vulnerability was published in 26/Dec/2023.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-51467 https://issues.apache.org/jira/browse/OFBIZ-12873

Description: Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. This vulnerability occurs as a result of incomplete fixing for CVE-2023-49070. In Apache OFBiz version 18.12.10, the developers removed the XMLRPC to fix the previous RCE issue, but the authentication bypass still exists. The researcher from Chaitin Tech found another attack approach to perform the pre-auth RCE using Groovy expression injection.

Versions: Apache OFBiz <= 22.01.01 Apache OFBiz <= 18.12.10

Thanks.

[tooryx]

Hi @W0ngL1,

We are enforcing more strictly the one review per contributor. So we will review that submission once the Jenkins one is submitted.

Thank you, ~tooryx

[W0ngL1]

Copy that.

[tooryx]

Hi @W0ngL1,

We are currently unsure if we would like to continue with this plugin. To have a better vision on the usage of Apache Ofbiz, would you be willing to contribute to a fingerprinting script for it? If so, please open a new issue for it and we will accept it.

~tooryx

[W0ngL1]

Hi @tooryx, I'll try locally and open a new issue if I can finish this plugin, cause I think there may be some problems with dockers' environment.

[tooryx]

Hi @W0ngL1,

Just to clarify: please do not continue working on this CVE for now but you can start writing a fingerprinting plugin for Apache Ofbiz, so that we can decide if we want to continue with this CVE.

~tooryx

[W0ngL1]

@tooryx, copy that. The reply above is about the fingerprinter for Apache Ofbiz.

[W0ngL1]

Hi @tooryx, the offcial source code only provides Dockerfile for the latest few versions, and I've pushed them to hub.docker.com, do I need to pack docker images for all versions?

[tooryx]

How long does it take to pack a version? Ideally, we want to be able to fingerprint as many versions as possible.

[W0ngL1]

It depends. I used the same Dockerfile which provided by the official to build some older versions, but errors occurred in runtime. So I need to try build Ofbiz locally and build it with docker manually. Now only three versions can work well with the official Dockerfile.