A critical zero-day vulnerability in Apache OFBiz, an open-source enterprise resource planning (ERP) system, has been discovered that could allow unauthenticated attackers to execute arbitrary code remotely. The flaw, tracked as CVE-2024-38856 with a CVSS score of 9.8, affects all versions of Apache OFBiz up to and including 18.12.14.
The vulnerability was uncovered by researchers at SonicWall’s Capture Labs threat research team. It stems from a flaw in the override view functionality that exposes critical endpoints to unauthenticated threat actors using specially crafted requests. This could potentially lead to remote code execution without any authentication required.
Organizations widely use Apache OFBiz to manage various business processes, including accounting, human resources, customer relationship management, and e-commerce.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
According to available data, approximately 170 companies utilize Apache OFBiz, with 41% of users based in the United States. Notable users include United Airlines, Atlassian JIRA, Home Depot, HP, and Upwork.
Researchers discovered the vulnerability while analyzing a previously patched flaw (CVE-2024-36104). They found that manipulating certain request parameters could bypass authentication checks and access restricted endpoints.
SonicWall responsibly disclosed the vulnerability to the Apache OFBiz team, who promptly developed and released a patch. To mitigate the risk, users are strongly urged to upgrade their OFBiz installations to version 18.12.15 or newer.
This marks SonicWall’s second major vulnerability in Apache OFBiz in recent months, following another critical flaw found in December 2023. The quick succession of severe vulnerabilities highlights the importance of timely patching and ongoing security assessments for critical business software.
Currently, there is no evidence of active exploitation of this vulnerability in the wild. However, given the critical nature of the flaw and the widespread use of Apache OFBiz in enterprise environments, organizations are advised to take immediate action to protect their systems.
The vulnerability in Apache OFBiz was promptly addressed and fixed, with the following commit.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide