CISA is warning federal agencies and enterprises that attackers are exploiting a known vulnerability in the Apache OFBiz ERP suite, a bug that Apache released a fix for three weeks ago.
The vulnerability (CVE-2024-38856) affects every version of OFBiz through 18.12.14 and successful exploitation would allow an attacker to execute screen rendering code on affected endpoints. The Apache Software Foundation released an update to address the bug on Aug. 5, but on Tuesday the Cybersecurity and Infrastructure Security Agency issued an advisory and added the flaw to its Known Exploited Vulnerabilities catalog.
CISA did not provide any information on the group or groups exploiting the vulnerability, but the urgency to apply the patch is even greater, given that the bug can be exploited without authentication.
“Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker,” the CISA advisory says.
OFBiz is an open-source ERP framework that is Java-based. The framework is embedded in some third-party apps, including JIRA. In January, researchers at SonicWall discovered that attackers were exploiting a separate OFBiz vulnerability that had been disclosed in December 2023. That flaw was related to an even earlier vulnerability and attackers began attempting to exploit quickie after its disclosure.
CISA is encouraging organizations to upgrade to version 18.12.15 of OFBiz, which contains the patch for CVE-2024-38856.