The U.S. Cybersecurity & Infrastructure Security Agency is warning of two vulnerabilities exploited in attacks, including a path traversal impacting Apache OFBiz.
Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) system that provides a suite of business applications to manage various aspects of an organization. Due to its versatility and cost-effectiveness, it’s used in a wide range of industries and business sizes.
The flaw added to CISA’s Known Exploited Vulnerability Catalog (KEV) is CVE-2024-32113, a path traversal vulnerability impacting OFBiz versions before 18.12.13. If exploited, it could allow attackers to remotely execute arbitrary commands on vulnerable servers.
Federal agencies and state organizations are given until August 28, 2024, to apply the available security updates and mitigations that address the risk or stop using the product.
The second flaw added to KEV yesterday, and for which CISA set the same deadline, is CVE-2024-36971, an Android kernel zero-day Google fixed earlier this week.
OFBiz Flaw details
The Apache OFBiz CVE-2024-32113 flaw was addressed on May 8, 2024. By the end of the month, security researchers published complete exploitation details demonstrating how the flaw could be used for malware deployment and pivoting to other network segments.
The flaw is caused by a combination of insufficient input validation and improper handling of user-supplied data, specifically failure to sanitize URLs, which allows directory traversal sequences like ../ and ; to bypass security filters.
In addition to this, the execution of user-provided Groovy scripts has inadequate blocklisting, failing to block dangerous commands and allowing malicious actors to perform arbitrary code execution.
Soon after security researcher “Unam4” published details on exploiting the flaw on his blog, others leveraged the information to develop working exploits, which they uploaded to GitHub.
New pre-auth RCE
As CISA warns about active exploitation for CVE-2024-32113, a newer flaw that impacts more recent versions of Apache OFBiz was uncovered earlier this week.
Tracked as CVE-2024-38856, the flaw is a critical (CVSS score: 9.8) pre-authentication remote code execution problem impacting Apache OFBiz versions up to 18.12.14.
SonicWall published extensive technical details about CVE-2024-38856 on Monday, while several proof-of-concept exploits have been made available on GitHub.
Therefore, active exploitation by threat actors will likely start anytime.
This issue was fixed with the release of OFBiz version 18.12.15, which should be the upgrade target for all users of the software.