Skip to the content.

DIVD-2024-00039 - Incorrect authorization vulnerability in Apache OFBiz resulting in RCE

Our reference DIVD-2024-00039
Case lead Wessel Baltus
Researcher(s)
CVE(s)
Products
  • Apache OFBiz
Versions
  • versions 18.12.14 and below
Recommendation Update to Apache OFBiz version 18.12.15 or higher if available
Patch status Patch available
Workaround None
Status Closed
Last modified 02 Dec 2024 20:18 CET

Summary

CVE-2024-38856 is a critical pre-authentication remote code execution (RCE) vulnerability in Apache OFBiz. The flaw stems from insufficient validation of the ProgramExport endpoint, which can be accessed without authentication. Attackers exploit this by chaining the ProgramExport endpoint with other publicly accessible endpoints, effectively bypassing authentication controls. This allows the execution of arbitrary code on vulnerable systems, leading to full system compromise. The vulnerability affects versions of OFBiz up to 18.12.14, and upgrading to version 18.12.15 is required to mitigate this threat.

Recommendations

The Apache OFBiz versions 18.12.14 and below are vulnerable. Upgrade to version 18.12.15 or higher as soon as possible.

What we are doing

DIVD is currently working to identify parties that are running a version of Apache OFBiz servers that contain this vulnerability and notify these parties. We do this by finding vulnerable Apache OFBiz instances that are connected to the Internet and verifying vulnerability using an non-weaponized exploit.

Timeline

Date Description
29 Sep 2024 DIVD starts researching the vulnerability.
29 Sep 2024 DIVD finds fingerprint, preparing to scan.
29 Sep 2024 Case opened, first version of this casefile.
29 Sep 2024 DIVD starts scanning the internet for vulnerable instances.
01 Oct 2024 DIVD starts notifying network owners with a vulnerable instance in their network.
30 Oct 2024 DIVD start notifying network owners with a vulnerable instance in their network for the second time.
02 Dec 2024 Last scan and closing case.
gantt title DIVD-2024-00039 - Incorrect authorization vulnerability in Apache OFBiz resulting in RCE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00039 - Incorrect authorization vulnerability in Apache OFBiz resulting in RCE (64 days) :2024-09-29, 2024-12-02 section Events DIVD starts researching the vulnerability. : milestone, 2024-09-29, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-09-29, 0d Case opened, first version of this casefile. : milestone, 2024-09-29, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-09-29, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-10-01, 0d DIVD start notifying network owners with a vulnerable instance in their network for the second time. : milestone, 2024-10-30, 0d Last scan and closing case. : milestone, 2024-12-02, 0d

More information