Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges

The vulnerability carries nearly the highest score possible on the CVSS scale, at 9.8, impacting a system used by major companies around the world.

CISA has
added a critical security flaw
in the Apache OFBiz open source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog.
Apache OFBiz is a system that helps industries manage their operations, such as customer relations, human resource functions, order processing, and warehouse management. Roughly 170 companies use Apache OFBiz, 41% of them in the US. These include bigwigs such as United Airlines, Home Depot, and HP Development, among many others, according to the platform website.
Tracked as
CVE-2024-38856
, the bug carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale, since it allows pre-authentication remote code execution (RCE). CISAs move comes after proof-of-concept (PoC) exploits were made available to the public following the flaws disclosure in early August.
Organizations should update to version 18.12.15 to mitigate against the threat. Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of Sept. 17 to do so.
What I can tell you from a SonicWall perspective [is that] weve seen pretty widespread exploitation attempts, Douglas McKee, executive director of threat research at SonicWall, tells Dark Reading. And I use the word attempts because we dont necessarily know if they were successful or not. About 16% of our customer base is being attempted to be exploited by this.
CVE-2024-38856 initially was discovered earlier this month by researchers at SonicWall, while they were analyzing a different RCE flaw in the platform, CVE-2024-36104.
CVE-2024-36104 allows remote attackers to access system directories, due to an inadequate validation of user requests. This occurs specifically due to the
ControlServlet
and
RequestHandler
functions receiving different endpoints to process after receiving the same request. If functioning correctly, both should get the same endpoint to process.
While testing a patch for CVE-2024-36104, the researchers discovered the next flaw, CVE-2024-38856, which permits unauthenticated access by way of the ProgramExport endpoint, which could potentially enable arbitrary code execution and should be restricted.
McKee notes that ultimately, the discoveries represent a chain involving multiple different vulnerabilities that Apache OFBiz has tried to treat symptoms of, but not the root cause.
Our researcher looked at the different patches coming out for Apache Office [and] became very familiar with the code base and, as a result, [were] kind of in an attacker mindset, says McKee. I like to say ‘think red, act blue’ right? Which is the concept of thinking like an attacker but doing things for the defensive side. So, with SonicWalls researchers in an attacker mindset, they looked at the fixes in place to patch one vulnerability and tried to get around them, leading to the discovery of another one.
In a blog post, the SonicWall researchers provided an attack chain to exploit CVE-2024-38856 including the following request that an attacker would send to Apache OFBiz to access the program export functionality within the application as well as the parameter the attackers are passing to get to that:
POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1
groovyProgram=throw new Exception (whoami .execute () .text) ;
Other URLs that can be used to exploit CVE-2024-36104 are:
POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/TestService/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/main/ProgramExport
This vulnerability impacts every version of the Apache OFBiz up to 18.12.14, and there are no interim patches available; users and organizations must upgrade to the the latest version to prevent potential exploitation of the flaw.
Failure to promptly upgrade could enable threat actors to manipulate login parameters and execute arbitrary code on the target server,
according to researchers at Zscaler
who also analyzed the bug earlier this month, especially as attackers increasingly capitalize off of publicly disclosed PoC exploits for vulnerabilities.

Last News
▸ Protecting the end system from cyber threats ◂ Discovered: 26/12/2024 Category: security	▸ Tackling The TDoS Threat. ◂ Discovered: 26/12/2024 Category: security	▸ Ruby On Rails Under Attack ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges