Zero-Day Flaw in Apache OFBiz open-source ERP allows Remote Code Execution (CVE-2024-38856)

Advisory No: TZCERT/SA/2024/08/07-1

Date of First Release: 07^th August 2024

Source: Apache

Software Affected: Apache OFBiz

Overview:

Apache OFBiz is vulnerable to a zero-day remote code execution vulnerability. Successful exploitation of the vulnerability may allow attackers to take control of the affected device.

Description:

Apache OFBiz open-source enterprise resource planning (ERP) is affected by a critical vulnerability tracked as CVE-2024-38856 with a CVSS score of 9.8.  The flaw results from improper limitation of a pathname to a restricted directory (‘Path Traversal’) leading to failure of the authentication mechanism. Leveraging the vulnerability allows the attacker to achieve remote code execution via specially crafted requests.

Impact:

Successful exploitation of this vulnerability may allow an attacker to take control of the affected device.

Solution:

Apache has released a patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.openwall.com/lists/oss-security/2024/05/09/1
2. https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd
3. https://thehackernews.com/2024/08/new-zero-day-flaw-in-apache-ofbiz-erp.html