CISA Warns of Actively Exploited Apache OFBiz CVE-2024-38856 Vulnerability, PoC Available

by do son · Published August 27, 2024 · Updated August 27, 2024

CVE-2024-38856 Apache OFBiz vulnerability

Image: securelayer7

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about an actively exploited security flaw in Apache OFBiz, a popular open-source enterprise resource planning (ERP) system. The vulnerability, tracked as CVE-2024-38856, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the critical nature of the threat.

CVE-2024-38856 is a pre-authentication remote code execution vulnerability. This vulnerability affects Apache OFBiz versions prior to 18.12.15, posing a significant risk to any organization using outdated versions of the software.

The root cause of CVE-2024-38856 lies in a flaw within the authentication mechanism of Apache OFBiz. Specifically, this flaw allows unauthenticated users to gain access to functionalities that are typically restricted to logged-in users. Once inside, attackers can exploit this access to execute arbitrary code on the compromised systems, potentially leading to full system compromise.

SonicWall, the security firm that discovered and reported CVE-2024-38856, has highlighted that the vulnerability resides in the override view functionality of Apache OFBiz. This critical weakness exposes essential endpoints to unauthenticated attackers, who can exploit the flaw by sending specially crafted requests.

Adding to the urgency, cybersecurity researchers Zeyad Azima from SecureLayer7 and Youssef Muhammad have published a proof-of-concept (PoC) exploit code for CVE-2024-38856. The availability of this PoC on GitHub provides a concrete demonstration of how the vulnerability can be exploited, making it easier for threat actors to launch attacks.

Given the high severity and active exploitation of CVE-2024-38856, CISA has strongly recommended that all federal agencies and organizations using Apache OFBiz update their installations to version 18.12.15 or later by September 17, 2024. Failing to apply these updates could leave systems vulnerable to attacks that could result in data breaches, service disruptions, and other severe consequences.