U.S. CISA Includes Apache OFBiz Bug in its Known Exploited Vulnerabilities Catalog
August 28, 2024
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache OFBiz bug, CVE-2024-38856, to its Known Exploited Vulnerabilities catalog. This bug is an incorrect authorization issue that affects Apache OFBiz versions up to 18.12.14. It was reported by Hasib Vhora from SonicWall and other security experts.
The vulnerability allows unauthenticated users to execute screen rendering code of screens under certain conditions, such as when screen definitions don't check users' permissions because they rely on the configuration of their endpoints. This issue has been addressed in Apache OFBiz version 18.12.15.
SonicWall's Capture Labs threat research team discovered this pre-authentication remote code execution vulnerability in Apache OFBiz. It is the second major flaw that SonicWall has uncovered in Apache OFBiz in recent months. The flaw lies in the override view functionality, which exposes critical endpoints to unauthenticated threat actors using a crafted request, leading to potential remote code execution. Users are urged to upgrade to version 18.12.15 or newer.
Apache OFBiz is an open-source ERP system used by hundreds of companies globally. It assists businesses in automating and integrating various processes, including accounting, HR, CRM, order management, manufacturing, and e-commerce. Notable users include United Airlines, Atlassian JIRA, Home Depot, and HP.
Although there have been no known attacks exploiting this vulnerability, SonicWall has developed an IPS signature to detect any active exploitation of this issue. According to the Binding Operational Directive, federal agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Private organizations are also advised to review the catalog and address any vulnerabilities in their infrastructure. All federal agencies are required to fix this vulnerability by September 17, 2024.
Related News
Latest News
- Critical Atlassian Confluence Flaw Exploited for Cryptojacking
- Iranian Hackers Collaborate with Ransomware Gangs for Extortion
- Critical Hardcoded Password Vulnerability in FileCatalyst Workflow Rectified by Fortra
- APT-C-60 Group Exploits WPS Office Vulnerability to Deploy SpyGlace Backdoor
- Unprotected LLM Servers Expose Sensitive Corporate and Health Data
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.