{"id":5080,"date":"2024-08-29T14:10:56","date_gmt":"2024-08-29T19:10:56","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/cisa-highlights-apache-ofbiz-flaw-after-poc-open-access"},"modified":"2024-08-29T14:10:56","modified_gmt":"2024-08-29T19:10:56","slug":"exploited-cisa-highlights-apache-ofbiz-flaw-after-poc-emerges","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/29\/exploited-cisa-highlights-apache-ofbiz-flaw-after-poc-emerges\/","title":{"rendered":"Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

CISA has <\/span>added a critical security flaw<\/a><\/span> in the Apache OFBiz open source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog.<\/span><\/p>\n

Apache OFBiz is a system that helps industries manage their operations, such as customer relations, human resource functions, order processing, and warehouse management. Roughly 170 companies use Apache OFBiz, 41% of them in the US. These include bigwigs such as United Airlines, Home Depot, and HP Development, among many others, according to the platform website.<\/span><\/p>\n

Tracked as <\/span>CVE-2024-38856<\/a><\/span>, the bug carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale, since it allows pre-authentication remote code execution (RCE). CISA’s move comes after proof-of-concept (PoC) exploits were made available to the public following the flaw’s disclosure in early August.<\/span><\/p>\n

Organizations should update to version 18.12.15 to mitigate against the threat. Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of Sept. 17 to do so.<\/span><\/p>\n

One Vulnerability Leads to Another<\/h2>\n

CVE-2024-38856 initially was discovered earlier this month by researchers at SonicWall, while they were analyzing a different RCE flaw in the platform, CVE-2024-36104.<\/span><\/p>\n

CVE-2024-36104 allows remote attackers to access system directories, due to an inadequate validation of user requests. This occurs specifically due to the <\/span>ControlServlet<\/span><\/span> and <\/span>RequestHandler<\/span><\/span> functions receiving different endpoints to process after receiving the same request. If functioning correctly, both should get the same endpoint to process.<\/span><\/p>\n

While testing a patch for CVE-2024-36104, the researchers discovered the next flaw, CVE-2024-38856, which permits unauthenticated access by way of the ProgramExport endpoint, which could potentially enable arbitrary code execution and should be restricted.<\/span><\/p>\n

Avoiding Exploitation<\/h2>\n

In a blog post, the SonicWall researchers provided an example of an attack chain in which a threat actor could exploit CVE-2024-38856 using the following input, and then gaining the subsequent output:<\/span><\/p>\n

“POST \/webtools\/control\/forgotPassword\/ProgramExport HTTP\/1.1<\/span><\/p>\n

groovyProgram=throw new Exception (‘whoami’ .execute () .text) ;”<\/span><\/p>\n

Other URLs that can be used to exploit CVE-2024-36104 are:<\/span><\/p>\n

\n