The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a essential safety flaw affecting the Apache OFBiz open-source enterprise useful resource planning (ERP) system to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The vulnerability, referred to as CVE-2024-38856, carries a CVSS rating of 9.8, indicating essential severity.
“Apache OFBiz incorporates an incorrect authorization vulnerability that might permit distant code execution by way of a Groovy payload within the context of the OFBiz consumer course of by an unauthenticated attacker,” CISA stated.
Particulars of the vulnerability first got here to gentle earlier this month after SonicWall described it as a patch bypass for an additional flaw, CVE-2024-36104, that allows distant code execution by way of specifically crafted requests.
“A flaw within the override view performance exposes essential endpoints to unauthenticated menace actors utilizing a crafted request, paving the way in which for distant code execution,” SonicWall researcher Hasib Vhora stated.
The event comes practically three weeks after CISA positioned a 3rd flaw impacting Apache OFBiz (CVE-2024-32113) to the KEV catalog, following stories that it had been abused to deploy the Mirai botnet.
Whereas there are presently no public stories about how CVE-2024-38856 is being weaponized within the wild, proof-of-concept (PoC) exploits have been made publicly out there.
The energetic exploitation of two Apache OFBiz flaws is a sign that attackers are displaying vital curiosity in and a bent to pounce on publicly disclosed vulnerabilities to opportunistically breach inclined situations for nefarious ends.
Organizations are really helpful to replace to model 18.12.15 to mitigate in opposition to the menace. Federal Civilian Govt Department (FCEB) companies have been mandated to use the required updates by September 17, 2024.