The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vital security flaw affecting the Apache OFBiz open-source enterprise useful resource planning (ERP) system to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation within the wild.
The vulnerability, often known as CVE-2024-38856, carries a CVSS rating of 9.8, indicating vital severity.
“Apache OFBiz accommodates an incorrect authorization vulnerability that would enable distant code execution by way of a Groovy payload within the context of the OFBiz consumer course of by an unauthenticated attacker,” CISA mentioned.
Particulars of the vulnerability first got here to gentle earlier this month after SonicWall described it as a patch bypass for an additional flaw, CVE-2024-36104, that permits distant code execution by way of specifically crafted requests.
“A flaw within the override view performance exposes vital endpoints to unauthenticated menace actors utilizing a crafted request, paving the best way for distant code execution,” SonicWall researcher Hasib Vhora mentioned.
The event comes almost three weeks after CISA positioned a 3rd flaw impacting Apache OFBiz (CVE-2024-32113) to the KEV catalog, following reviews that it had been abused to deploy the Mirai botnet.
Whereas there are presently no public reviews about how CVE-2024-38856 is being weaponized within the wild, proof-of-concept (PoC) exploits have been made publicly accessible.
The lively exploitation of two Apache OFBiz flaws is a sign that attackers are exhibiting vital curiosity in and a bent to pounce on publicly disclosed vulnerabilities to opportunistically breach vulnerable situations for nefarious ends.
Organizations are really useful to replace to model 18.12.15 to mitigate towards the menace. Federal Civilian Government Department (FCEB) businesses have been mandated to use the required updates by September 17, 2024.