A new critical vulnerability in Apache OFBiz has been uncovered – here's what you need to know

Abstract cyber padlock on pink background with blue code terminal
(Image credit: Getty Images)

Researchers have discovered a new critical vulnerability in open source enterprise resource planning system Apache OFbiz, exposing critical endpoints to unauthenticated threat actors.

Apache OFbiz offers enterprises with a suite of business applications and tools to manage business functions, helping them automate various aspects of their accounting, HR, manufacturing, CRM, and e-commerce operations.

CVE-2024-38856 is a pre-authentication remote code execution (RCE) vulnerability, rated a 9.8 on the CVSS, and affects Apache OFBiz versions up to 18.12.14.

The SonicWall Capture Labs threat research team discovered the issue when investigating a separate vulnerability affecting Apache OFbiz, CVE-2024-36104, an unauthenticated path traversal flaw, disclosed on 3 June 2024.

The team noticed the ControlServlet and RequestHandler functions received different endpoints to process, and suspected the root cause of the issue rested in the system’s authentication process. 

A patch for CVE-2024-36104 revealed that Apache had introduced checks to prevent path traversal attack vectors, made possible by this discrepancy, but when analyzing the patch, SonicWall researchers found they could gain unauthenticated access to a specific endpoint by chaining it with other endpoints that don’t require authentication.

This marks the fifth critical security vulnerability affecting Apache OFBiz to be patched in 2024, and the second major flaw SonicWall has discovered in the space of a year following its discovery of CVE-2023-51467 in December 2023.

SonicWall noted Apache OFBiz were quick to fix the vulnerability, and confirmed its team was unable to run the same exploit following the patch.

“We appreciate the prompt response and remediation by the Apache OFBiz team. They demonstrated extreme care for the security of their customers and were a pleasure to work with.  The time from reporting the vulnerability to receiving a patch for analysis was less than 24 hours.”

Apache OFBiz flaw could further enhance threat actors’ arsenal 

Speaking to ITPro, Hasib Vhora, threat researcher at SonicWall and author of the report on CVE-2024-38856, outlined the potential dangers the flaw poses to an organization if exploited.

"Successful exploitation of this vulnerability yields a remote threat actor ability to execute arbitrary code and eventually get control over the affected system. With APTs reportedly targeting vulnerable OFBiz servers using the Mirai botnet, this vulnerability could further enhance their arsenal."

According to publicly available data, around 170 businesses use Apache OFBiz around the world, with 41% of its users located in the US, 19% residing in India, and smaller numbers in Germany (7%), France (6%), and the UK (5%).

Apache OFBiz’s customers primarily operate in the technology and services industry (25%), computer software (17%), internet (6%), and retail sectors (5%), with many more using OFBiz in some part of their software supply chain.

RELATED WHITEPAPER

The platform boasts large customers including United Airlines, Atlassian JIRA, GrowERP, Cognizant, Technology Solutions Corp., and Titan Industries.

To complement Apache OFBiz’s patch, SonicWall has developed an IPS signature IPS:4455 to detect any active exploitation of the vulnerability, and at this time said it was not aware of any attempts to exploit CVE-2024-38856 in the wild.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.