A critical pre-authentication remote code execution (RCE) security vulnerability [6], CVE-2024-38856 [1] [2] [3] [4] [5] [6] [7] [8], has been identified in Apache OFBiz [1] [5] [7], an open-source ERP system [3] [7].
Description
This flaw, discovered by security researchers [4], including Hasib Vhora and the SonicWall Capture Labs threat research team, allows threat actors to execute remote code without authentication by exploiting an incorrect authorization issue in the software [5]. The vulnerability affects versions up to 18.12.14 and has been patched in version 18.12.15 [7], released on Aug 3 [7]. The German Federal Office for Information Security (BSI) has assigned a CVSS Base Score of 9.8 to the vulnerability [4], highlighting its severity [4]. SonicWall has developed an IPS signature to detect any active exploitation of this vulnerability and has disclosed it to Apache OFBiz for patching [3]. Admins are advised to promptly update their installations to prevent potential remote code execution attacks [4]. This marks the fifth critical or important security vulnerability found and patched in OFBiz this year [7]. Researchers from SonicWall have praised the quick response of OFBiz developers in providing a working patch within 24 hours [7]. OFBiz customers [6], including Atlassian JIRA [6], Home Depot [3] [6], United Airlines [3] [6], and Upwork Global [6], are among the 170 affected organizations [6]. The vulnerability is associated with Common Attack Pattern Enumeration and Classification (CAPEC) CWEs [2]. Three public PoC/Exploits for CVE-2024-38856 are available on GitHub [2], and a curated list of external links offers in-depth information [2], practical solutions [2], and tools related to the vulnerability [2].
Conclusion
While no attacks exploiting CVE-2024-38856 have been detected [1], it is crucial to note that another vulnerability in Apache OFBiz, CVE-2024-32113 [1], has been targeted by malicious actors [1], potentially leading to remote command execution [1]. Admins are advised to promptly update their installations to prevent potential remote code execution attacks [4]. The high level of risk for organizations using this framework is evident [7], and users are urged to upgrade their installations promptly to mitigate any potential threats.
References
[1] https://www.infosecurity-magazine.com/news/fla-apache-ofbiz-requires-patching/
[2] https://cvefeed.io/vuln/detail/CVE-2024-38856
[3] https://blog.sonicwall.com/en-us/2024/08/sonicwall-discovers-second-critical-apache-ofbiz-zero-day-vulnerability/
[4] https://www.helpnetsecurity.com/2024/08/05/cve-2024-38856/
[5] https://securityaffairs.com/166612/hacking/critical-apache-ofbiz-flaw.html
[6] https://www.darkreading.com/application-security/critical-apache-ofbiz-vulnerability-allows-preauth-rce
[7] https://www.csoonline.com/article/3481545/new-critical-apache-ofbiz-vulnerability-patched-as-older-flaw-is-actively-exploited.html
[8] https://cyber.vumetric.com/security-news/2024/08/05/critical-apache-ofbiz-pre-auth-rce-flaw-fixed-update-asap-cve-2024-38856/
