A critical zero-day vulnerability in Apache OFBiz, an open-source enterprise resource planning (ERP) system, has been identified, allowing unauthenticated attackers to execute arbitrary code remotely. Tracked as CVE-2024-38856, this high-severity flaw has a CVSS score of 9.8 and impacts all versions of Apache OFBiz up to and including 18.12.14. The vulnerability was uncovered by SonicWall’s Capture Labs threat research team and results from a flaw in the override view functionality, which exposes sensitive endpoints to attackers who can exploit specially crafted requests to gain unauthorized access and execute code.
Apache OFBiz is widely utilized by organizations for managing various business functions, including accounting, human resources, customer relationship management, and e-commerce. With approximately 170 companies using the software, including notable names like United Airlines, Atlassian JIRA, Home Depot, HP, and Upwork, the vulnerability poses a significant risk to a broad range of enterprise environments. The flaw was discovered while researchers were analyzing a previously patched vulnerability (CVE-2024-36104) and revealed that certain request manipulations could bypass authentication checks and access restricted endpoints.
Following the responsible disclosure of the vulnerability by SonicWall, the Apache OFBiz team acted swiftly to develop and release a patch. Users are strongly encouraged to upgrade their installations to version 18.12.15 or newer to address this critical security issue and protect their systems from potential exploitation. The quick response underscores the importance of maintaining up-to-date security practices and promptly addressing vulnerabilities in critical business software.
Although there is currently no evidence of active exploitation of CVE-2024-38856 in the wild, the critical nature of the vulnerability and its potential impact on widely used enterprise software make immediate action imperative. The discovery and patching of this vulnerability mark SonicWall’s second significant finding in Apache OFBiz within recent months, following another critical flaw identified in December 2023. This highlights the ongoing need for rigorous security assessments and timely updates to safeguard against emerging threats.
Reference:
