CRLF injection & Cross-site request forgery vulnerabilityies in Apache OFBizNew

Cybersecurity specialists have revealed the presence of two critical vulnerabilities in Apache OFBiz, an open source automation software developed by Apache Foundation. Successfully exploiting these vulnerabilities could lead to scenarios such as cross-site request forgery (CSRF) and CLRF injection.

The following is a brief explanation of the vulnerabilities found, in addition to their respective Common Vulnerability Scoring System (CVSS) keys. While these are critical security bugs, the good news is that the vendor has already released the corresponding security patches, so affected deployment administrators should only download updates from the official platforms.

CVE-2019-12425: This vulnerability allows a remote threat actor to dodge the security restrictions implemented on the target system. The vulnerability exists because Apache OFBiz is vulnerable to HOST header injection.

An unauthenticated remote attacker can send a specially crafted HTTP request to the application and avoid security restrictions implemented by the administrator. The flaw is present in Apache OFBiz v17.12.01. Although the fault can be exploited remotely, it is unknown if any publicly available exploits exist.

CVE-2019-0235: This is a vulnerability that allows remote malicious hackers to deploy cross-site request forgery (CSRF) attacks. The security failure exists due to insufficient validation of the http request source. A remote threat actor can trick the victim into visiting a specially designed website and perform arbitrary actions by impersonating the victim on the vulnerable website.

The vulnerability is present in Apache OFBiz v17.12.01. This vulnerability can be exploited by an unauthenticated remote attacker over the Internet, although some malware capable of exploiting this flaw has not been detected.

Functional workarounds are currently not known to mitigate the risk of exploiting these vulnerabilities, so cybersecurity specialists recommend installing official fixes as soon as possible.

For more information on these issues and more computer security issues affecting these products, you can search the official Apache platforms and their multiple developments.