The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a crucial safety flaw affecting the Apache OFBiz open-source enterprise useful resource planning (ERP) system to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The vulnerability, referred to as CVE-2024-38856, carries a CVSS rating of 9.8, indicating crucial severity.
“Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker,” CISA mentioned.
Particulars of the vulnerability first got here to gentle earlier this month after SonicWall described it as a patch bypass for an additional flaw, CVE-2024-36104, that permits distant code execution by way of specifically crafted requests.
“A flaw in the override view functionality exposes critical endpoints to unauthenticated threat actors using a crafted request, paving the way for remote code execution,” SonicWall researcher Hasib Vhora mentioned.
The event comes almost three weeks after CISA positioned a 3rd flaw impacting Apache OFBiz (CVE-2024-32113) to the KEV catalog, following experiences that it had been abused to deploy the Mirai botnet.
Whereas there are at present no public experiences about how CVE-2024-38856 is being weaponized within the wild, proof-of-concept (PoC) exploits have been made publicly obtainable.
The energetic exploitation of two Apache OFBiz flaws is a sign that attackers are displaying vital curiosity in and an inclination to pounce on publicly disclosed vulnerabilities to opportunistically breach vulnerable cases for nefarious ends.
Organizations are beneficial to replace to model 18.12.15 to mitigate in opposition to the risk. Federal Civilian Govt Department (FCEB) companies have been mandated to use the required updates by September 17, 2024.
