.webp)
The SonicWall Capture Labs research team has discovered a vulnerability in Apache OFBiz that allows pre-authenticated remote code execution. The vulnerability is being tracked as CVE-2024-38856 (CVSSv3.1: 9.8) and is considered a publicly disclosed zero-day vulnerability, though a patch was rapidly released and versions 18.12.15 and later remediate this vulnerability.
The Vulnerability
According to the research supplied in SonicWall’s blog, “the bug lies in the logic of the authentication mechanism.” Authentication checks performed on certain functions within the code were not being performed in the correct area. Due to this, the values calculated created confusion for the authentication function, allowing a malformed request containing malicious code to be executed. Unlike a legitimate request, malformed requests are considered “false” and therefore do not require authentication.
Impact
This vulnerability is considered critical severity and would have a high impact if exploited, as it allows for an unauthenticated RCE when some conditions are met. Researchers have also disclosed the method in which this vulnerability would be exploited, increasing its inherent risk.
Remediation
The vulnerability impacts Apache OFBiz prior to version 18.12.15.
A patch is available. Be sure to verify the integrity of the files using PGP or GPG as explained on the patch page.
Recommendations
Patch - The only method to fix this vulnerability is to apply the patch. There are currently no recommended vendor mitigations.
Prioritize - This vulnerability should be remediated with an elevated priority. It has an elevated risk due to public disclosure and the vulnerability being high severity.
Review Documentation
Apache OFBiz has provided an article in its technical documentation detailing how to keep OFBiz Secure. Review this article to ensure that your OFBiz instance is protected.
Associated Bulletins
SonicWall Discovers Second Critical Apache OFBiz Zero-Day Vulnerability | SonicWall
.jpg)
