Apache just patched a critical vulnerability (christened CVE-2024-38856) in OFBiz, their open-source ERP system. Discovered by SonicWall Capture Labs, this pre-authentication remote code execution flaw has a CVSS score of 9.8 and involves the exposure of critical endpoints to unauthenticated threat actors using a crafted request in the override view functionality. Of the 170 companies that use OFBiz, some notable ones include United Airlines, Atlassian JIRA, GrowERP, Lindt Chocolate Club, Home Depot, Cognizant Technology Solutions Corp., Titan Industries, HP Development Company, and Upwork Global Inc.
SonicWall has released a detailed analysis of the flaw, and multiple public PoCs have surfaced online, meaning that OFBiz users should patch their software immediately.
Detect such critical vulnerabilities and remediate them instantly with SanerNow vulnerability and patch management tool.
Technical Details on Apache OFBiz Flaw
Another flaw, CVE-2024-36104, which involves an unauthenticated RCE through path traversal, revealed discrepancies in how the ControlServlet and RequestHandler functions processed different endpoints in OFBiz. Ideally, both ControlServlet and RequestHandler should process the same endpoint, or the RequestHandler function should render the login view if the endpoint requires authentication.
However, sending a raw URL without any path traversal vector (POST /webtools/control/forgotPassword/ProgramExport
) grants access, even without path traversal. Thereby brought to us is the flaw we know as CVE-2024-38856! This means that unauthenticated access to the ProgramExport endpoint is possible by chaining it with other endpoints that do not require authentication. This is achieved by exploiting the override view functionality. Endpoints not requiring authentication are generally defined controller.xml
with auth="false"
or without the auth
attribute. Examples of such endpoints include forgotPassword, showDateTime, TestService, view, and main. URLs that can exploit this vulnerability include:
POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/main/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/TestService/ProgramExport
Authentication checks are performed on a value called requestUri
, while the rendered page is located at overrideViewUri
. The getRequestUri
method splits the path /
and returns the first element, which is forgotPassword
. Conversely, the getOverrideViewUri
method discards the first element after splitting the path and returns the second element, ProgramExport
. This mismatch results in requestUri=forgotPassword
and overrideViewUri=ProgramExport
.
Since authentication checks are performed on requestUri
(forgotPassword
) rather than overrideViewUri
(ProgramExport
), this discrepancy creates a loophole in the authentication process, allowing malformed requests to bypass authentication. In the case of a malformed request, the value is false
, meaning no authentication is needed, unlike a legitimate request. A legitimate request directly hitting the endpoint ProgramExport
using the URL POST /webtools/control/ProgramExport
requires authentication.
Finally, the ProgramExport view is rendered, enabling the execution of the supplied code without authentication.
Products Affected and Impact
This flaw impacts Apache OFBiz versions 18.12.14 and below. The two most impacted regions are the USA and India, with 41% and 19% of affected systems in each country, respectively. As mentioned earlier, 170 companies, some quite large, are impacted worldwide. No active exploitation has been observed as of 6 August 2024.
Solutions
The vendor recommends updating to version 18.12.15, which contains the patch. No mitigations are present at this time.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.