By LBT Technology Group, LLC. on Monday, 19 August 2024
Category: Security

Critical zero-day vulnerability in Apache OFBiz

Threat update

CVE-2024-38856 is a new Apache OFBiz ERP system critical zero-day vulnerability. If you are using this system, please continue reading to learn which steps you should take to mitigate your risk. 

Technical Detail and Additional Info

What is the threat?

Researchers who were analyzing a patch for a previously targeted vulnerability discovered this new critical vulnerability in Apache OFBiz. It gives unauthenticated users access to the system through remote code execution (RCE), posing a severe threat with a CVSS score of 9.8 out of 10. 

Why is it noteworthy?

Apache OFBiz offers a suite of features for automating and integrating various business processes, including accounting, human resources, customer relationship management, order management, manufacturing, and e-commerce. Many industries use Apache OFBiz as part of their software supply chain.

The issue stems from improper handling of endpoint requests. The authentication checks are only applied to one part of the request, while another part bypasses these checks. The vulnerability exploits the inconsistency between how the request URI and the overriding view URI are handled within the OFBiz system. While the request URI undergoes authentication checks, the overriding view URI, which directs to the final resource, does not. This discrepancy allows attackers to craft requests that circumvent authentication, potentially leading to unauthorized access and exploitation of critical endpoints. 

What is the exposure or risk?

This vulnerability gives unauthenticated users access to functionalities that is meant for logged-in users. Upon a successful exploitation, bad actors can deploy remote code execution, granting attackers the ability to execute arbitrary code on the affected system. 

What are the recommendations?

 LBT Technology Group recommends taking the following measures to mitigate your risk:

References

 For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact LBT's Sales Engineer.

Related Posts

Leave Comments