Home Industry ERP A recent Apache OFBiz zero-day...
ERP
Business Fortune
06 August, 2024
The open-source enterprise resource planning (ERP) system Apache OFBiz has a newly discovered zero-day pre-authentication remote code execution vulnerability that could grant threat actors remote code execution on vulnerable installations.
CVE-2024-38856 is the vulnerability's identification. Its CVSS score is 9.8 out of 10. Apache OFBiz versions less than 18.12.15 are affected.
The vulnerability was found and disclosed by SonicWall, which stated in a statement that an issue with the authentication process is the primary source of the vulnerability. It further stated that this vulnerability opens the door for remote code execution by granting an unauthorized user access to features that ordinarily require the user to be logged in.
Additionally, CVE-2024-38856 is a workaround for CVE-2024-36104, a path traversal issue that was fixed in early June when 18.12.14 was released.
The override view feature, which enables unauthorized threat actors to gain access to critical endpoints and use them to remotely execute code through carefully crafted requests, is where SonicWall claims the vulnerability lies.
According to security researcher Hasib Vhora, the ProgramExport endpoint was made vulnerable to unauthenticated access by chaining it with any other endpoints that do not demand authentication and by abusing the override view capabilities.
The disclosure of a second critical path traversal vulnerability in OFBiz (CVE-2024-32113) that could allow for remote code execution and is being actively exploited to start the Mirai botnet coincides with this development. There was a patch applied in May 2024.