Pierluigi Paganini August 28, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apache OFBiz bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apache OFBiz Incorrect Authorization Vulnerability CVE-2024-38856 (CVSS score of 9.8) to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is an incorrect authorization issue in Apache OFBiz that impacts versions through 18.12.14, version 18.12.15 addressed the flaw.

“Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don’t explicitly check user’s permissions because they rely on the configuration of their endpoints).” reads the advisory.

The security researcher Hasib Vhora from SonicWall reported the vulnerability CVE-2024-38856 along with other security experts.

 “The SonicWall Capture Labs threat research team has discovered a pre-authentication remote code execution vulnerability in Apache OFBiz being tracked as CVE-2024-38856 with a CVSS score of 9.8. This is the second major flaw SonicWall has discovered in Apache OFBiz in recent months, the first coming in December 2023.” wrote Vhora. “This time, a flaw in the override view functionality exposes critical endpoints to unauthenticated threat actors using a crafted request, paving the way for remote code execution. It affects Apache OFBiz versions up to 18.12.14, and users are strongly encouraged to upgrade their instances to version 18.12.15 or newer.”

The issue stems from a flaw in the authentication mechanism, which allows unauthenticated users to access features typically restricted to logged-in users, potentially leading to remote code execution.

Apache OFBiz is an open-source ERP system that helps businesses automate and integrate various processes such as accounting, HR, CRM, order management, manufacturing, and e-commerce. It is used by hundreds of companies worldwide, with 41% in the U.S., 19% in India, 7% in Germany, 6% in France, and 5% in the U.K. Notable users include United Airlines, Atlassian JIRA, Home Depot, and HP.

SonicWall is not aware of attacks in the wild exploiting this vulnerability, however it has developed IPS signature IPS:4455 to detect any active exploitation of this issue.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by September 17, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)