The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Apache OFBiz Incorrect Authorization Vulnerability CVE-2024-38856 (CVSS score of 9.8) to its .
The vulnerability is an incorrect authorization issue in Apache OFBiz that impacts versions through 18.12.14, version 18.12.15 addressed the flaw.
“Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don’t explicitly check user’s permissions because they rely on the configuration of their endpoints).” .
The security researcher Hasib Vhora from SonicWall reported the vulnerability CVE-2024-38856 along with other security experts.
“The SonicWall Capture Labs threat research team has discovered a pre-authentication remote code execution vulnerability in Apache OFBiz being tracked as with a CVSS score of 9.8. This is the SonicWall has discovered in Apache OFBiz in recent months, the first coming in December 2023.” . “This time, a flaw in the override view functionality exposes critical endpoints to unauthenticated threat actors using a crafted request, paving the way for remote code execution. It affects Apache OFBiz versions up to 18.12.14, and users are strongly encouraged to upgrade their instances to version or newer.”
The issue stems from a flaw in the authentication mechanism, which allows unauthenticated users to access features typically restricted to logged-in users, potentially leading to remote code execution.
Apache OFBiz is an open-source ERP system that helps businesses automate and integrate various processes such as accounting, HR, CRM, order management, manufacturing, and e-commerce. It is used by hundreds of companies worldwide, with 41% in the U.S., 19% in India, 7% in Germany, 6% in France, and 5% in the U.K. Notable users include United Airlines, Atlassian JIRA, Home Depot, and HP.
SonicWall is not aware of attacks in the wild exploiting this vulnerability, however it has developed IPS signature IPS:4455 to detect any active exploitation of this issue.
According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by September 17, 2024.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, CISA)