The open-source enterprise resource planning (ERP) system Apache OFBiz has a serious security flaw that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds to its list of known exploited vulnerabilities (KEV).
Citing evidence of active exploitation in the field, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a significant security hole affecting the open-source enterprise resource planning (ERP) system, Apache OFBiz, to its list of known exploited vulnerabilities (KEV) on Tuesday.
The vulnerability, identified as CVE-2024-38856, has a critical severity CVSS score of 9.8. According to CISA, Apache OFBiz has an improper permission vulnerability that could enable remote code execution by an unauthorized attacker using a Groovy payload within the OFBiz user process.
Earlier this month, SonicWall revealed details of the vulnerability, describing it as a patch bypass for another issue, CVE-2024-36104, that allows remote code execution through specially crafted requests. “A flaw in the override view functionality exposes critical endpoints to unauthenticated threat actors using a crafted request, paving the way for remote code execution,” Hasib Vhora, a SonicWall researcher, stated. This comes almost three weeks after CISA added a third Apache OFBiz vulnerability (CVE-2024-32113) to the KEV catalog in response to allegations that it had been exploited improperly to spread the Mirai botnet.
Proof-of-concept (PoC) exploits for CVE-2024-38856 have been made public, while there are currently no reports regarding its weaponization in the wild.
Two Apache OFBiz vulnerabilities are being actively exploited, which suggests that attackers are very interested in publicly publicized vulnerabilities and have a tendency to take advantage of them to penetrate affected instances for malicious purposes. It is advised that organizations update to 18.12.15 in order to lessen the threat. Agencies within the Federal Civilian Executive Branch (FCEB) are required to implement the required modifications by September 17, 2024.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
