The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2024-38856, has been flagged due to evidence of active exploitation in the wild. With a CVSS score of 9.8, the flaw is considered highly severe, posing significant security risks to organizations using Apache OFBiz.
CVE-2024-38856 is rooted in an incorrect authorization mechanism within Apache OFBiz, which allows for remote code execution. Unauthenticated attackers can exploit this vulnerability by sending a specially crafted Groovy payload in the context of the OFBiz user process, potentially gaining control over the affected system. The vulnerability was first brought to light earlier this month, with cybersecurity firm SonicWall describing it as a patch bypass for a related flaw, CVE-2024-36104, which similarly enabled remote code execution through crafted requests.
The discovery of this new vulnerability follows CISA’s recent addition of another Apache OFBiz flaw, CVE-2024-32113, to the KEV catalog. That flaw was reportedly exploited to deploy the Mirai botnet, highlighting the growing interest of threat actors in targeting publicly disclosed vulnerabilities in Apache OFBiz. While specific details about the real-world exploitation of CVE-2024-38856 remain sparse, the availability of proof-of-concept (PoC) exploits has raised concerns within the cybersecurity community.
To mitigate the threat, CISA strongly recommends that organizations update their Apache OFBiz systems to version 18.12.15. Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the necessary updates by September 17, 2024, to ensure protection against potential breaches. The active exploitation of multiple Apache OFBiz vulnerabilities underscores the importance of timely patching and vigilant monitoring to safeguard critical infrastructure.
Reference:
