Apache OFBiz Arbitrary Code Execution Vulnerability (CVE-2024-38856)

Aug 07, 2024 GMT+08:00

I. Overview

Apache OFBiz has identified a critical security vulnerability (CVE-2024-38856) affecting versions up to and including 18.12.14. This vulnerability stems from an incorrect authorization flaw, allowing unauthenticated attackers to execute arbitrary code on the target system. Exploitation of this vulnerability could lead to sensitive information leakage, service disruption, or the execution of malicious code. The POC of this vulnerability has been disclosed and the risk is high.

Apache OFBiz is an open source enterprise resource planning (ERP) system. If you are an Apache OFBiz user, check your versions and implement timely security hardening.

Reference:

https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w

https://ofbiz.apache.org/security.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache OFBiz <= 18.12.14

Secure versions:

Apache OFBiz >= 18.12.15

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://ofbiz.apache.org/download.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.