Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges

  /     /     /  
Publicated : 23/11/2024   Category : security

Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges


The vulnerability carries nearly the highest score possible on the CVSS scale, at 9.8, impacting a system used by major companies around the world.


CISA has
added a critical security flaw
in the Apache OFBiz open source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog.
Apache OFBiz is a system that helps industries manage their operations, such as customer relations, human resource functions, order processing, and warehouse management. Roughly 170 companies use Apache OFBiz, 41% of them in the US. These include bigwigs such as United Airlines, Home Depot, and HP Development, among many others, according to the platform website.
Tracked as
CVE-2024-38856
, the bug carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale, since it allows pre-authentication remote code execution (RCE). CISAs move comes after proof-of-concept (PoC) exploits were made available to the public following the flaws disclosure in early August.
Organizations should update to version 18.12.15 to mitigate against the threat. Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of Sept. 17 to do so.
What I can tell you from a SonicWall perspective [is that] weve seen pretty widespread exploitation attempts, Douglas McKee, executive director of threat research at SonicWall, tells Dark Reading. And I use the word attempts because we dont necessarily know if they were successful or not. About 16% of our customer base is being attempted to be exploited by this.
CVE-2024-38856 initially was discovered earlier this month by researchers at SonicWall, while they were analyzing a different RCE flaw in the platform, CVE-2024-36104.
CVE-2024-36104 allows remote attackers to access system directories, due to an inadequate validation of user requests. This occurs specifically due to the 
ControlServlet
 and
RequestHandler
 functions receiving different endpoints to process after receiving the same request. If functioning correctly, both should get the same endpoint to process.
While testing a patch for CVE-2024-36104, the researchers discovered the next flaw, CVE-2024-38856, which permits unauthenticated access by way of the ProgramExport endpoint, which could potentially enable arbitrary code execution and should be restricted.
McKee notes that ultimately, the discoveries represent a chain involving multiple different vulnerabilities that Apache OFBiz has tried to treat symptoms of, but not the root cause.
Our researcher looked at the different patches coming out for Apache Office [and] became very familiar with the code base and, as a result, [were] kind of in an attacker mindset, says McKee. I like to say ‘think red, act blue’ right? Which is the concept of thinking like an attacker but doing things for the defensive side. So, with SonicWalls researchers in an attacker mindset, they looked at the fixes in place to patch one vulnerability and tried to get around them, leading to the discovery of another one. 
In a blog post, the SonicWall researchers provided an attack chain to exploit CVE-2024-38856 including the following request that an attacker would send to Apache OFBiz to access the program export functionality within the application as well as the parameter the attackers are passing to get to that:
POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1
groovyProgram=throw new Exception (whoami .execute () .text) ;
Other URLs that can be used to exploit CVE-2024-36104 are:
POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/TestService/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/main/ProgramExport
This vulnerability impacts every version of the Apache OFBiz up to 18.12.14, and there are no interim patches available; users and organizations must upgrade to the the latest version to prevent potential exploitation of the flaw.
Failure to promptly upgrade could enable threat actors to manipulate login parameters and execute arbitrary code on the target server,
according to researchers at Zscaler
who also analyzed the bug earlier this month, especially as attackers increasingly capitalize off of publicly disclosed PoC exploits for vulnerabilities. 

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges