CISA highlights critical Apache OFBiz flaw following reports of active exploitation

28 August 2024Ravie LakshmananSoftware security/vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical vulnerability in the open source enterprise resource planning (ERP) system Apache OFBiz to its Known Exploited Vulnerabilities (KEV) catalog, citing indications of active exploitation in the wild.

The vulnerability, known as CVE-2024-38856, has a CVSS score of 9.8, indicating critical severity.

“Apache OFBiz contains a faulty authorization vulnerability that could allow an unauthenticated attacker to perform remote code execution via a Groovy payload in the context of the OFBiz user process,” CISA said.

Details of this vulnerability first came to light earlier this month after SonicWall described it as a patch bypass for another flaw, CVE-2024-36104, that allows remote code execution via specially crafted requests.

“A flaw in the Override View functionality exposes critical endpoints to unauthenticated threat actors via a crafted request, paving the way for remote code execution,” said SonicWall researcher Hasib Vhora.

This development comes nearly three weeks after CISA added a third Apache OFBiz vulnerability (CVE-2024-32113) to the KEV catalog following reports that the vulnerability had been exploited to deploy the Mirai botnet.

While there are currently no public reports of CVE-2024-38856 being weaponized in the wild, proof-of-concept (PoC) exploits have been made publicly available.

The active exploitation of two Apache OFBiz vulnerabilities is an indication that attackers show a strong interest in publicly disclosed vulnerabilities and have a tendency to exploit them to opportunistically breach vulnerable instances for nefarious purposes.

Organizations are advised to update to version 18.12.15 to prevent the threat. Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the required updates by September 17, 2024.