Vulnerable Version
Apache OFBiz<=18.12.14
Fixed Version
Apache OFBiz 18.12.16
Base Score
9.8 Critical
Vendor Description
Apache OFBiz is an open-source ERP framework. It supports a wide range of online applications used for
a variety of company operations, including human resources, accounting, inventory management,
customer relationship management, and marketing. This software, while less common than certain
commercial equivalents, is critical to enterprises who rely on it for sensitive business activities.
Overview
CVE-2024-38856 is an improper authorization vulnerability discovered in Apache OFBiz versions up to and including 18.12.14. It permits remote, unauthenticated attackers to run arbitrary code on vulnerable systems. The vulnerability was discovered by carefully analyzing a previously patched path traversal security bug (CVE-2024-36104). The development community acknowledged the vulnerability, but information concerning its particular was limited.
CVE-2024-38856 is a significant security vulnerability with a CVSS Base Score of 9.8 (critical).
Another related issue, CVE-2024-45195, affects all versions of Apache OFBiz prior to v18.12.16. This bug also permits unauthenticated remote code execution, allowing an attacker to exploit missing permission checks in the web application, potentially leading to arbitrary code execution.
CVE-2024-45195’s CVSS Base Score is 7.5 (high).
Vulnerability Details:-
The attack affects Apache OFBiz’s ‘ProgramExport’ endpoint, allowing remote code execution due to
poor input validation. Attackers encode commands in Base64, insert them in a Groovy script, and send
them as HTTP POST requests. The script executes the commands with Bash, and responses are captured
using markers such as ‘[result]’. This approach circumvents security safeguards, allowing attackers to run
unauthorized commands on the server without authentication. The vulnerability results from the
endpoint’s lack of strict input validation and adequate authorization checks.
POC
Exploit mode
python cve-2024-38856_Scanner.py -t <target> -p <port> -c "command" --exploit
Impact and Potential Risks
Organizations relying on Apache OFBiz may be at risk of:
- Unauthorized information access
- Loss of data integrity
- Compromise of sensitive business information
- Total control of affected server environments by malicious actors
Mitigation
To effectively resolve the vulnerabilities, users of Apache OFBiz should upgrade to version 18.12.16 or later. Moving forward, companies should prioritize frequent software upgrades and patching to reduce exposure to vulnerabilities such as CVE-2024-38856 and CVE-2024-45195.