Apache OFBiz SSRF (CVE-2024-45507)
Description
Apache OFBiz contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass network security controls and send arbitrary HTTP requests from the OFBiz server. Attackers can exploit this flaw to perform reconnaissance of internal network resources, access services that are not directly exposed to the internet, and potentially chain this vulnerability with other exploits to achieve Remote Code Execution (RCE) on the affected server.
Remediation
Apply the following remediation steps immediately:
1. Upgrade Apache OFBiz to version 18.12.16 or later, which includes validation to block malicious URL patterns in screen/script URIs
2. Verify the patch by testing that external URL lookups are properly restricted after the upgrade
3. Review logs for any suspicious DNS queries or outbound requests to unusual domains (particularly *.bxss.me or other known SSRF testing domains) that may indicate prior exploitation
4. Implement network-level controls as defense-in-depth measures:
• Restrict outbound connections from the OFBiz server to only necessary destinations
• Deploy egress filtering to block requests to internal IP ranges (RFC 1918 addresses)
• Monitor and alert on unexpected outbound traffic patterns
For detailed patch information, refer to OFBIZ-13132 in the Apache JIRA issue tracker.