DIVD-2024-00039 - Incorrect authorization vulnerability in Apache OFBiz resulting in RCE
| Our reference | DIVD-2024-00039 |
| Case lead | Wessel Baltus |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update to Apache OFBiz version 18.12.15 or higher if available |
| Patch status | Patch available |
| Workaround | None |
| Status | Open |
| Last modified | 02 Oct 2024 21:31 CEST |
Summary
CVE-2024-38856 is a critical pre-authentication remote code execution (RCE) vulnerability in Apache OFBiz. The flaw stems from insufficient validation of the ProgramExport endpoint, which can be accessed without authentication. Attackers exploit this by chaining the ProgramExport endpoint with other publicly accessible endpoints, effectively bypassing authentication controls. This allows the execution of arbitrary code on vulnerable systems, leading to full system compromise. The vulnerability affects versions of OFBiz up to 18.12.14, and upgrading to version 18.12.15 is required to mitigate this threat.
Recommendations
The Apache OFBiz versions 18.12.14 and below are vulnerable. Upgrade to version 18.12.15 or higher as soon as possible.
What we are doing
DIVD is currently working to identify parties that are running a version of Apache OFBiz servers that contain this vulnerability and notify these parties. We do this by finding vulnerable Apache OFBiz instances that are connected to the Internet and verifying vulnerability using an non-weaponized exploit.
Timeline
| Date | Description |
|---|---|
| 29 Sep 2024 | DIVD starts researching the vulnerability. |
| 29 Sep 2024 | DIVD finds fingerprint, preparing to scan. |
| 29 Sep 2024 | Case opened, first version of this casefile |
| 29 Sep 2024 | DIVD starts scanning the internet for vulnerable instances. |
| 01 Oct 2024 | DIVD starts notifying network owners with a vulnerable instance in their network |
More information
- CVE-2024-38856
- National Vulnerability Database for CVE-2024-38856
- Indepth information on CVE-2024-23692