Threat update

CVE-2024-38856 is a new Apache OFBiz ERP system critical zero-day vulnerability. If you are using this system, please continue reading to learn which steps you should take to mitigate your risk. 

Technical Detail and Additional Info

What is the threat?

Researchers who were analyzing a patch for a previously targeted vulnerability discovered this new critical vulnerability in Apache OFBiz. It gives unauthenticated users access to the system through remote code execution (RCE), posing a severe threat with a CVSS score of 9.8 out of 10. 

Why is it noteworthy?

Apache OFBiz offers a suite of features for automating and integrating various business processes, including accounting, human resources, customer relationship management, order management, manufacturing, and e-commerce. Many industries use Apache OFBiz as part of their software supply chain.

The issue stems from improper handling of endpoint requests. The authentication checks are only applied to one part of the request, while another part bypasses these checks. The vulnerability exploits the inconsistency between how the request URI and the overriding view URI are handled within the OFBiz system. While the request URI undergoes authentication checks, the overriding view URI, which directs to the final resource, does not. This discrepancy allows attackers to craft requests that circumvent authentication, potentially leading to unauthorized access and exploitation of critical endpoints. 

What is the exposure or risk?

This vulnerability gives unauthenticated users access to functionalities that is meant for logged-in users. Upon a successful exploitation, bad actors can deploy remote code execution, granting attackers the ability to execute arbitrary code on the affected system. 

What are the recommendations?

 LBT Technology Group recommends taking the following measures to mitigate your risk:

• Apply appropriate updates provided by Apache to vulnerable systems immediately after appropriate testing.
• Ensure network infrastructure is up to date.
• Perform automated vulnerability scans of internal assets on a regular basis.
• Manage default accounts on assets and software, including root, administrator, and other pre-configured vendor accounts.
• Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain the department owner, review date, and purpose. Regularly review service accounts to ensure you have authorized all active accounts.

References

 For more in-depth information about the recommendations, please visit the following links:

• https://medium.com/@costigermano/new-zero-day-vulnerability-in-apache-ofbiz-erp-enables-remote-code-execution-c7f4fea6d94e
• https://www.bankinfosecurity.com/zero-day-vulnerability-in-apache-ofbiz-enables-rce-a-25949
• https://www.cisecurity.org/advisory/a-vulnerability-in-apache-ofbiz-could-allow-for-remote-code-execution_2024-049

If you have any questions, please contact LBT's Sales Engineer.