New critical Apache OFBiz vulnerability patched as older flaw is actively exploited

Researchers warn of a new critical vulnerability in Apache OFBiz, an open-source enterprise resource planning (ERP) system and framework. The flaw potentially allows for remote code execution (RCE) without authentication and was patched shortly after news that another vulnerability fixed back in May is being exploited in the wild.

The new vulnerability, tracked as CVE-2024-38856, was discovered by researchers from SonicWall and is rated critical. It impacts Apache OFBiz versions up to 18.12.14 and was patched in version 18.12.15 released on Aug. 3.

Apache OFBiz, originally named Open for Business, offers modules for managing business processes such as accounting, HR, supply chain management, product catalog management, customer relationship management (CRM), manufacturing, e-commerce, and more. These modules are built on an Apache-based web development framework that can also be used to build additional custom applications and features.

It’s unclear how many enterprises employ Apache OFBiz as many organizations might use it internally, but based on public data known users include large organizations such as IBM, HP, Accenture, United Airlines, Home Depot, and Upwork. Some third-party commercial applications, such as Atlassian JIRA, also use OFBiz modules. The project is used globally and across many industries, but over 40% of known users are based in the US.

The Open Web Application Security Project (OWASP) recently updated its list of top 10 open source security risks for enterprises, with known vulnerabilities topping the list.

New flaw found by analyzing previous one

The new flaw is located in the override view functionality and allows unauthenticated attackers to access sensitive and restricted endpoints using specially crafted requests. This can pave the way for remote code execution.

In fact, the SonicWall researchers found the vulnerability while analyzing OFBiz’s patch for a different path traversal flaw fixed in version 18.12.14 in late May. That flaw, tracked as CVE-2024-36104, can also lead to remote code execution. It had a proof-of-concept exploit available since it was disclosed, but at the end of July, the SANS Internet Storm Center reported seeing in-the-wild exploitation attempts for it.

It’s worth noting that a different authentication bypass flaw (CVE-2023-51467) found by SonicWall researchers in OFBiz back in December 2023 was also later exploited in the wild. This suggests that OFBiz is a target of interest for attackers and applications built with the framework that are exposed to the internet are at immediate risk.

It’s also worth noting that CVE-2024-38856 is the fifth security vulnerability rated as critical or important that was found and patched in OFBiz this year. Organizations relying on this ERP framework should upgrade to the latest version as soon as possible and ensure that OFBiz is covered by their vulnerability monitoring products.

SonicWall congratulated the OFBiz developers for their quick response with a working patch being sent back to them for analysis in less than 24 hours.