A recently identified zero-day pre-authentication remote code execution vulnerability in the open-source enterprise resource planning (ERP) system Apache OFBiz could allow threat actors to run remote code on vulnerable instances.
The open-source enterprise resource planning (ERP) system Apache OFBiz has a newly discovered zero-day pre-authentication remote code execution vulnerability that could enable threat actors to execute remote code on compromised instances. The vulnerability, identified as CVE-2024-38856, impacts Apache OFBiz versions older than 18.12.15 and has a CVSS score of 9.8 out of 10.0. The vulnerability was found and reported by SonicWall, which stated that “a flaw in the authentication mechanism lies at the root cause of the vulnerability.” “This vulnerability opens the door for remote code execution by enabling an unauthorized user to access features that typically require the user to be logged in.” In addition, CVE-2024-38856 is a workaround for CVE-2024-36104, a path traversal vulnerability fixed in early June by version 18.12.14.
According to SonicWall, the vulnerability is in the override view functionality, which lets unauthorized threat actors access vital endpoints and use them to execute code remotely by sending carefully constructed requests. According to security researcher Hasib Vhora, “unauthenticated access was allowed to the ProgramExport endpoint by chaining it with any other endpoints that do not require authentication by abusing the override view functionality.” This development coincides with the active exploitation of another OFBiz critical path traversal vulnerability (CVE-2024-32113), which has the potential to grant remote code execution and facilitate the deployment of the Mirai botnet. In May 2024, a patch was applied.
SonicWall also revealed in December 2023 a zero-day vulnerability (CVE-2023-51467) in the same software that made it possible to get beyond authentication safeguards. As a result, there were several efforts to exploit this vulnerability.
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.