The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a important safety flaw affecting the Apache OFBiz open-source enterprise useful resource planning (ERP) system to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The vulnerability, often called CVE-2024-38856, carries a CVSS rating of 9.8, indicating important severity.
“Apache OFBiz incorporates an incorrect authorization vulnerability that would permit distant code execution through a Groovy payload within the context of the OFBiz consumer course of by an unauthenticated attacker,” CISA mentioned.
Particulars of the vulnerability first got here to gentle earlier this month after SonicWall described it as a patch bypass for an additional flaw, CVE-2024-36104, that allows distant code execution through specifically crafted requests.
“A flaw within the override view performance exposes important endpoints to unauthenticated risk actors utilizing a crafted request, paving the way in which for distant code execution,” SonicWall researcher Hasib Vhora mentioned.
The event comes almost three weeks after CISA positioned a 3rd flaw impacting Apache OFBiz (CVE-2024-32113) to the KEV catalog, following reviews that it had been abused to deploy the Mirai botnet.
Whereas there are at present no public reviews about how CVE-2024-38856 is being weaponized within the wild, proof-of-concept (PoC) exploits have been made publicly out there.
The energetic exploitation of two Apache OFBiz flaws is a sign that attackers are exhibiting important curiosity in and an inclination to pounce on publicly disclosed vulnerabilities to opportunistically breach vulnerable cases for nefarious ends.
Organizations are really useful to replace to model 18.12.15 to mitigate towards the risk. Federal Civilian Govt Department (FCEB) businesses have been mandated to use the required updates by September 17, 2024.