The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a security vulnerability affecting Apache OFBiz, the open-source enterprise resource planning (ERP) system. This Apache OFBiz vulnerability, identified as CVE-2024-38856, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to ongoing evidence of its exploitation in the wild.
CVE-2024-38856 has been rated with a CVSS score of 9.8, classifying it as critical in severity. The vulnerability allows attackers to execute remote code without prior authentication, posing a severe risk to affected systems. This vulnerability can be exploited by attackers through maliciously crafted requests, leading to remote code execution.
Decoding the Critical Apache OFBiz Vulnerability (CVE-2024-38856)
Apache OFBiz versions up to 18.12.13 are affected by CVE-2024-36104, while versions up to 18.12.14 are impacted by CVE-2024-38856. Apache OFBiz is a popular open-source ERP system that supports various business functions, such as customer relationship management and order processing. Due to its widespread use, security vulnerabilities in OFBiz can significantly affect businesses.
CVE-2024-38856, identified by the Apache Software Foundation, was published on August 5, 2024, and updated on August 28, 2024. This flaw involves incorrect authorization in Apache OFBiz versions up to 18.12.14, allowing unauthenticated access to certain endpoints.
This can potentially enable attackers to execute screen rendering code if specific conditions are met, particularly if screen definitions fail to check user permissions due to endpoint configuration issues. The vulnerability is classified as CWE-863 Incorrect Authorization.
Recommended Actions
Organizations using Apache OFBiz are urged to upgrade to version 18.12.15 to address the critical security issue of CVE-2024-38856. Federal Civilian Executive Branch (FCEB) agencies must apply this update by September 17, 2024, to protect against potential exploits.
This recommendation follows the earlier identification of CVE-2024-32113, another Apache OFBiz vulnerability that was added to the KEV catalog in August. CVE-2024-32113 had been exploited in attacks using the Mirai botnet, highlighting the serious risks associated with such flaws. Although specific exploitation details for CVE-2024-38856 are currently limited, the presence of proof-of-concept exploits indicates that attackers are actively targeting this vulnerability.
The emergence of these vulnerabilities in Apache OFBiz reflects a concerning trend of attackers exploiting known flaws in widely used software. This situation highlights the urgent need for organizations to implement timely updates and safeguard their systems against online threats and vulnerability exploration. For guidance on addressing these vulnerabilities, users should consult Apache OFBiz’s official security resources and advisories.
Moreover, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria”.