Patch Now to Avoid Apache OFBiz Remote Code Execution – CVE-2024-36104

The Apache Software Foundation has issued a critical security patch to address a severe vulnerability in Apache OFBiz, a popular open-source enterprise automation platform. The flaw, tracked as CVE-2024-36104, could allow remote attackers to execute arbitrary code on affected systems, potentially leading to full system compromise.

CVE-2024-36104 is a path traversal vulnerability that allows attackers to access restricted directories and files on an OFBiz server. By manipulating file paths, malicious actors can execute commands, upload malicious files, or steal sensitive data. The vulnerability stems from improper input validation and lack of restrictions on file paths. This vulnerability is classified as important, given its potential to severely compromise the confidentiality, integrity, and availability of resources.

Security researcher Godspeed (AAA@ZJU) discovered and reported this vulnerability.

All versions of Apache OFBiz prior to 18.12.14 are affected by this vulnerability. Organizations using OFBiz for ERP, CRM, e-commerce, supply chain management, or manufacturing resource planning are urged to update their systems immediately.

The impact of a successful exploit could be devastating. Attackers could gain unauthorized access to critical business data, disrupt operations, or install ransomware. The vulnerability’s severity and the widespread use of OFBiz make it a prime target for exploitation.

The Apache Software Foundation has released OFBiz version 18.12.14, which contains a fix for the vulnerability. Users are strongly advised to upgrade to this version as soon as possible.