Analysis Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability, CVE-2024-38856, affecting the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog.

This vulnerability has a CVSS score of 9.8, indicating its high severity. It allows remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. The flaw is due to incorrect authorization within Apache OFBiz, which exposes critical endpoints that could be exploited by attackers through crafted requests.

According to the researchers, the discovery of CVE-2024-38856 identified the flaw as a patch bypass for another vulnerability, CVE-2024-36104, which also enables remote code execution through specially crafted requests. This vulnerability is particularly concerning as it presents an easy target for attackers to exploit unpatched systems, leading to potential unauthorized access and control over affected ERP systems. The vulnerability's inclusion in the KEV catalog underscores the urgency of addressing this security risk.

CISA's addition of CVE-2024-38856 to the KEV catalog is part of a broader recognition of the Apache OFBiz platform's susceptibility to attacks. Earlier, CISA had listed another Apache OFBiz flaw, CVE-2024-32113, due to its exploitation to deploy the Mirai botnet. The active exploitation of these vulnerabilities demonstrates a pattern of attackers quickly leveraging publicly disclosed vulnerabilities to compromise systems, highlighting the critical need for organizations to stay vigilant and promptly apply security patches.

To mitigate the risk associated with CVE-2024-38856, organizations using Apache OFBiz are strongly advised to update their systems to version 18.12.15, which addresses this critical flaw. Federal Civilian Executive Branch (FCEB) agencies, in particular, have been mandated to implement these updates by September 17, 2024. This directive aims to prevent unauthorized access and potential exploitation by threat actors, reinforcing the importance of timely software maintenance and security updates in safeguarding digital infrastructure.

Impact

• Security Bypass
• Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-38856

Affected Vendors

Remediation

• Upgrade to the latest version of Apache OFBiz, available from the Apache Website.
• Actively monitor network traffic and system logs for any signs of unauthorized access or suspicious activity that may indicate an exploitation attempt.
• Limit access to Apache OFBiz systems to only trusted networks and users, reducing the attack surface available to potential threat actors.
• Deploy WAFs to detect and block malicious payloads or crafted requests attempting to exploit vulnerabilities in web applications, including Apache OFBiz.
• Periodically audit and review configurations of Apache OFBiz and related systems to ensure that they follow security best practices and that no unauthorized changes have been made.
• Provide ongoing cybersecurity training to staff, emphasizing the importance of patch management and awareness of the latest threats.
• Maintain regular backups of critical data, ensuring that they are stored securely and are not accessible from vulnerable systems, to facilitate recovery in the event of an attack.
• Stay informed about security advisories from Apache and other relevant vendors to quickly address any new vulnerabilities.