Critical CVE-2024-38856 RCE vulnerability in Apache OFBiz ERP poses significant pre-authentication risks. Here's the breakdown.
Apache OFBiz, an open-source enterprise resource planning (ERP) framework, is widely used for various business applications. A critical pre-authentication remote code execution (RCE) vulnerability, tracked as CVE-2024-38856, has been discovered, posing significant risks to systems running OFBiz.
Here’s what you need to know:
Affected products: | Apache OFBiz versions up to and including v18.12.14 |
Product category: | Enterprise Resource Planning (ERP) Software |
Severity: | Critical |
Type: | Pre-authentication Remote Code Execution (RCE) |
Impact: | Allows unauthenticated attackers to execute arbitrary code, potentially leading to full system compromise |
PoC: | No |
Exploit in the wild | No evidence of active exploitation has been reported as of the latest information
|
CISA Catalog | No |
Remediation action | Upgrade to Apache OFBiz version 18.12.15 |
MITRE advisory |
CVE-2024-38856 is a severe vulnerability in Apache OFBiz that allows unauthenticated attackers to execute arbitrary code remotely. This flaw affects all versions of Apache OFBiz up to and including v18.12.14. The discovery of this vulnerability is credited to Hasib Vhora, a senior threat researcher at SonicWall’s Capture Labs, and his team of security researchers.
The vulnerability arises from incorrect authorization checks within the framework, which can be exploited through crafted requests. The researchers uncovered this issue while analyzing a previously patched path traversal flaw, CVE-2024-36104, and discovered that the override view functionality could be abused to gain unauthenticated access to certain endpoints. Detailed technical insights are provided in Vhora’s write-up on the SonicWall blog.
This issue affects Apache OFBiz: through 18.12.14. If you are using Apache OFBiz, especially versions up to 18.12.14, your systems are vulnerable to CVE-2024-38856.
Apache OFBiz is integral to many business operations, including human resources, accounting, inventory management, and customer relationship management. The critical nature of this flaw is highlighted by its CVSS Base Score of 9.8, indicating the high potential for exploitation and significant impact on business operations.
An advisory published by the German Federal Office for Information Security (BSI), has given CVE-2024-38856 a Critical CVSS Base Score of 9.8, and Temporal Score of 8.5 (high).
As of the latest reports, there has been no evidence of active exploitation of CVE-2024-38856 in the wild. The Apache OFBiz team responded promptly by releasing a fix within 24 hours of the vulnerability’s disclosure. However, the lack of active exploitation does not diminish the urgency of addressing this flaw.
The SANS Internet Storm Center has reported increased activity against a related vulnerability, CVE-2024-32113, emphasizing the need for vigilance and proactive measures. Johannes Ullrich, Dean of Research at the SANS Technology Institute, highlights the critical nature of securing ERP systems, given their role in managing sensitive business data.
To mitigate the risks associated with CVE-2024-38856, it is imperative to upgrade Apache OFBiz to version 18.12.15, where the vulnerability has been patched. In view of a recent report by the SANS Internet Storm Center warning about various attempts of attackers to exploit CVE-2024-32113, it is highly recommended to immediately follow the following steps to ensure your systems are secure:
For detailed instructions on the update process, refer to the technical write-up by Hasib Vhora on SonicWall’s blog and the advisory from BSI.
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: