Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856)
CVE-2024-38856, an incorrect authorization vulnerability affecting all but the latest version of Apache OFBiz, may be exploited by remote, unauthenticated attackers to execute arbitrary code on vulnerable systems.
About CVE-2024-38856
Apache OFBiz is an open-source framework for enterprise resource planning (ERP) that encompasses web applications that serve common business needs, such as human resources, accounting, inventory management, customer relationship management, marketing and so on.
CVE-2024-38856 – discovered by Hasib Vhora, a senior threat researcher at SonicWall’s Capture Labs, and a slew of other security researchers – affects every Apache OFBiz version up to and including v18.12.14.
The description of the vulnerability by Apache OFBiz developer Jacques Le Roux is light on specifics, but Vhora has published a detailed technical write-up about it.
The vulnerability was discovered while he and his colleagues were analyzing how a previously patched path traversal flaw (CVE-2024-36104) could be triggered by a publicly available PoC exploit.
They found that they could abuse the override view functionality to achieve unauthenticated access to a specific endpoint by chaining it with any other endpoints that do not require authentication.
No evidence of active exploitation
According to an advisory published by the German Federal Office for Information Security (BSI), CVE-2024-38856 has a CVSS Base Score of 9.8 (critical), and Temporal Score of 8.5 (high).
“[CVE-2024-38856] exposes critical endpoints to unauthenticated threat actors using a crafted request, paving the way for remote code execution,” Vhora explained.
The fix for the flaw has been added to v18.12.15, which was released nearly a month ago, and its effectiveness has been confirmed.
Users are recommended to upgrade their installations as soon as possible, especially in view of the recent report by the SANS Internet Storm Center, which warns about attackers trying to exploit CVE-2024-32113, a path traversal vulnerability that affects OFBiz versions up to v18.12.12.
“OFBiz appears to be far less prevalent than commercial alternatives. However, just as with any other ERP system, organizations rely on it for sensitive business data, and the security of these ERP systems is critical,” noted Johannes Ullrich, Dean of Research at the SANS Technology Institute.
SonicWall says that the Apache OFBiz team came up with a fix for CVE-2024-38856 within 24 hours, and that at this time, they are unaware of any active exploitation of the flaw.
UPDATE (August 28, 2024, 02:50 a.m. ET):
A day after a PoC exploit for the flaw was published, CISA has added CVE-2024-38856 to its Known Exploited Vulnerabilities catalog.