On August 5, 2024, researchers at SonicWall discovered a zero-day security flaw in Apache OFBiz tracked as CVE-2024-38856. The vulnerability, which has been assigned a CVSS score of 9.8, allows threat actors to perform pre-authentication remote code execution (RCE). While testing a patch for CVE-2024-36104, SonicWall researchers discovered that unauthenticated access was permitted to the ProgramExport endpoint, potentially enabling the execution of arbitrary code. These vulnerabilities arise from a flaw in the override view functionality, which can be exploited by unauthorized threat actors through maliciously crafted requests, leading to the remote code execution.

Recommendations

Zscaler ThreatLabz strongly advises users of the Apache OFBiz application to promptly upgrade to version 18.12.15, as this version contains fixes to mitigate the security vulnerabilities identified in CVE-2024-38856 and CVE-2024-36104.

Affected Versions

The following versions of Apache OFBiz are affected by the disclosed vulnerabilities and should be updated immediately:

All versions 18.12.13 and below are impacted by CVE-2024-36104
All versions 18.12.14 and below are impacted by CVE-2024-38856

Background

Apache OFBiz is an open-source Enterprise Resource Planning (ERP) system that provides business solutions for various industries. This includes tools to manage operations like customer relationships, order processing, human resource functions, warehouse management, and more.

During the analysis of CVE-2024-36104, a vulnerability disclosed on June 3, 2024, SonicWall researchers discovered the ControlServlet and RequestHandler functions received different endpoints when handling the same request. Ideally, both functions should process the same endpoint. CVE-2024-38856 allows unauthenticated access to the ProgramExport endpoint, which should have been restricted.

How It Works

In the previous vulnerability, CVE-2024-36104, Apache OFBiz was found to have a flaw that enabled remote attackers to access system directories due to inadequate validation of user requests. Exploiting this flaw involved sending a malformed URL containing '..' sequences, which could result in the execution of arbitrary code on the system.

An example of a malformed POST request and request-body is shown below.

POST /webtools/control/forgotPassword/;%2e%2e/ProgramExport

POST-Body: groovyProgram=throw new Exception('whoami'.execute().text);

In the figure below, the example malformed request is shown. This request includes a command 'whoami' that is being executed, and the resulting output of the command is displayed in the error message. The output of the command is highlighted in the green box.

Figure 1: An example of a POST request related to CVE-2024-36104. The request includes an encoded request body, along with its corresponding output.

The most recent vulnerability, CVE-2024-38856, permits unauthorized access to the ProgramExport endpoint without the need for a path traversal vector. This means that access is granted even when it should have been restricted.

The figure below shows an attack chain exploiting CVE-2024-38856.

Figure 2: The attack chain depicting an attacker exploiting CVE-2024-38856.

The figure below shows the malformed request, without a path traversal vector, being executed, and the resulting output of the command is displayed in the error message.

Figure 3: An example of a POST request related to CVE-2024-38856. The request includes an encoded request body, and the output associated with it.

Further investigation revealed that unauthenticated access to the ProgramExport endpoint was possible by combining it with any other endpoint that does not require authentication. Examples of such endpoints include:

forgotPassword
showDateTime
TestService
view
main

URLs that could be used to exploit this vulnerability are:

POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/TestService/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/main/ProgramExport

Conclusion

To protect against CVE-2024-38856, it is important to update Apache OFBiz systems to version 18.12.15 as soon as possible. Neglecting to upgrade promptly exposes systems to significant security risks, which could enable threat actors to manipulate login parameters and execute arbitrary code on the target server.