-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #846 from WesselDIVD/DIVD-2024-00039
adding casefile for DIVD case DIVD-2024-00039
- Loading branch information
Showing
1 changed file
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| --- | ||
| layout: case | ||
| title: "Incorrect authorization vulnerability in Apache OFBiz resulting in RCE" | ||
| author: Wessel Baltus | ||
| lead: Wessel Baltus | ||
| excerpt: "In Apache OFBiz, version 18.12.14 and below, an Incorrect Authorization vulnerability exists that allows pre-authentication remote code execution (RCE) resulting in an attacker being able to execute arbitrary commands on the affected system by sending a specially crafted HTTP request." | ||
| researchers: | ||
| - Wessel Baltus | ||
| - Stan Plasmeijer | ||
| - Alwin Warringa | ||
| - Oscar Vlugt | ||
| cves: | ||
| - CVE-2024-38856 | ||
| product: | ||
| - Apache OFBiz | ||
| versions: | ||
| - versions 18.12.14 and below | ||
| recommendation: "Update to Apache OFBiz version 18.12.15 or higher if available" | ||
| workaround: "None" | ||
| patch_status: Patch available | ||
| status : Open | ||
| start: 2024-09-29 | ||
| timeline: | ||
| - start: 2024-09-29 | ||
| end: | ||
| event: "DIVD starts researching the vulnerability." | ||
| - start: 2024-09-29 | ||
| end: | ||
| event: "DIVD finds fingerprint, preparing to scan." | ||
| - start: 2024-09-29 | ||
| end: | ||
| event: "Case opened, first version of this casefile" | ||
| - start: 2024-09-29 | ||
| end: | ||
| event: "DIVD starts scanning the internet for vulnerable instances." | ||
| - start: 2024-10-01 | ||
| end: | ||
| event: "DIVD starts notifying network owners with a vulnerable instance in their network" | ||
|
|
||
| --- | ||
|
|
||
| ## Summary | ||
|
|
||
| CVE-2024-38856 is a critical pre-authentication remote code execution (RCE) vulnerability in Apache OFBiz. The flaw stems from insufficient validation of the ProgramExport endpoint, which can be accessed without authentication. Attackers exploit this by chaining the ProgramExport endpoint with other publicly accessible endpoints, effectively bypassing authentication controls. This allows the execution of arbitrary code on vulnerable systems, leading to full system compromise. The vulnerability affects versions of OFBiz up to 18.12.14, and upgrading to version 18.12.15 is required to mitigate this threat. | ||
|
|
||
| ## Recommendations | ||
|
|
||
| The Apache OFBiz versions 18.12.14 and below are vulnerable. Upgrade to version 18.12.15 or higher as soon as possible. | ||
|
|
||
| ## What we are doing | ||
|
|
||
| DIVD is currently working to identify parties that are running a version of Apache OFBiz servers that contain this vulnerability and notify these parties. We do this by finding vulnerable Apache OFBiz instances that are connected to the Internet and verifying vulnerability using an non-weaponized exploit. | ||
| {% include timeline.html %} | ||
|
|
||
| ## More information | ||
|
|
||
| * {% cve CVE-2024-38856 %} | ||
| * [National Vulnerability Database for CVE-2024-38856](https://nvd.nist.gov/vuln/detail/CVE-2024-38856) | ||
| * [Indepth information on CVE-2024-23692](https://www.zscaler.com/blogs/security-research/cve-2024-38856-pre-auth-rce-vulnerability-apache-ofbiz) |