Source: tofino via Alamy Stock Photo
CISA has added a critical security flaw in the Apache OFBiz open source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog.
Apache OFBiz is a system that helps industries manage their operations, such as customer relations, human resource functions, order processing, and warehouse management. Roughly 170 companies use Apache OFBiz, 41% of them in the US. These include bigwigs such as United Airlines, Home Depot, and HP Development, among many others, according to the platform website.
Tracked as CVE-2024-38856, the bug carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale, since it allows pre-authentication remote code execution (RCE). CISA's move comes after proof-of-concept (PoC) exploits were made available to the public following the flaw's disclosure in early August.
Organizations should update to version 18.12.15 to mitigate against the threat. Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of Sept. 17 to do so.
One Vulnerability Leads to Another
CVE-2024-38856 initially was discovered earlier this month by researchers at SonicWall, while they were analyzing a different RCE flaw in the platform, CVE-2024-36104.
CVE-2024-36104 allows remote attackers to access system directories, due to an inadequate validation of user requests. This occurs specifically due to the ControlServlet and RequestHandler functions receiving different endpoints to process after receiving the same request. If functioning correctly, both should get the same endpoint to process.
While testing a patch for CVE-2024-36104, the researchers discovered the next flaw, CVE-2024-38856, which permits unauthenticated access by way of the ProgramExport endpoint, which could potentially enable arbitrary code execution and should be restricted.
Avoiding Exploitation
In a blog post, the SonicWall researchers provided an example of an attack chain in which a threat actor could exploit CVE-2024-38856 using the following input, and then gaining the subsequent output:
"POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1
groovyProgram=throw new Exception ('whoami' .execute () .text) ;"
Other URLs that can be used to exploit CVE-2024-36104 are:
POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/TestService/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/main/ProgramExport
This vulnerability impacts every version of the Apache OFBiz up to 18.12.14, and there are no interim patches available; users and organizations must upgrade to the the latest version to prevent potential exploitation of the flaw.
Failure to promptly upgrade could "enable threat actors to manipulate login parameters and execute arbitrary code on the target server," according to researchers at Zscaler who also analyzed the bug earlier this month, especially as attackers increasingly capitalize off of publicly disclosed PoC exploits for vulnerabilities.