U.S. CISA Includes Apache OFBiz Bug in its Known Exploited Vulnerabilities Catalog

August 28, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache OFBiz bug, CVE-2024-38856, to its Known Exploited Vulnerabilities catalog. This bug is an incorrect authorization issue that affects Apache OFBiz versions up to 18.12.14. It was reported by Hasib Vhora from SonicWall and other security experts.

The vulnerability allows unauthenticated users to execute screen rendering code of screens under certain conditions, such as when screen definitions don't check users' permissions because they rely on the configuration of their endpoints. This issue has been addressed in Apache OFBiz version 18.12.15.

SonicWall's Capture Labs threat research team discovered this pre-authentication remote code execution vulnerability in Apache OFBiz. It is the second major flaw that SonicWall has uncovered in Apache OFBiz in recent months. The flaw lies in the override view functionality, which exposes critical endpoints to unauthenticated threat actors using a crafted request, leading to potential remote code execution. Users are urged to upgrade to version 18.12.15 or newer.

Apache OFBiz is an open-source ERP system used by hundreds of companies globally. It assists businesses in automating and integrating various processes, including accounting, HR, CRM, order management, manufacturing, and e-commerce. Notable users include United Airlines, Atlassian JIRA, Home Depot, and HP.

Although there have been no known attacks exploiting this vulnerability, SonicWall has developed an IPS signature to detect any active exploitation of this issue. According to the Binding Operational Directive, federal agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Private organizations are also advised to review the catalog and address any vulnerabilities in their infrastructure. All federal agencies are required to fix this vulnerability by September 17, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.