Enterprise Resource Planning (ERP) Software is at the heart of many enterprising supporting human resources, accounting, shipping, and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which can make patching difficult. However, critical vulnerabilities keep affecting these systems and put critical business data at risk. The SANS Internet Storm Center published a report showing how the open-source ERP framework OFBiz is currently the target of new varieties of the Mirai botnet. As part of its extensive project portfolio, the Apache Foundation supports OFBiz, a Java-based framework for creating ERP (Enterprise Resource Planning) applications. OFBiz appears to be far less prevalent than commercial alternatives. However, just as with any other ERP system, organizations rely on it for sensitive business data, and the security of these ERP systems is critical. In May this year, a critical security update was released for OFBiz. The update fixed a directory traversal vulnerability that could lead to remote command execution. OFBiz versions before 18.12.13 were affected. A few weeks later, details about the vulnerability were made public. Directory traversal, or path traversal, vulnerabilities can be used to bypass access control rules. For example, if a user can access a "/public" directory but not a "/admin" directory, an attacker may use a URL like "/public/../admin" to fool the access control logic. Recently,…Read More