August 28, 2024 at 02:03AM
The U.S. Cybersecurity and Infrastructure Security Agency has added a critical security flaw in the Apache OFBiz system to its Known Exploited Vulnerabilities catalog. The flaw, CVE-2024-38856, allows remote code execution and carries a CVSS score of 9.8. Organizations are advised to update to version 18.12.15 by September 17, 2024 to mitigate the threat.
Key takeaways from the meeting notes:
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security flaw, CVE-2024-38856, in the Apache OFBiz open-source enterprise resource planning (ERP) system.
– The vulnerability carries a CVSS score of 9.8, indicating critical severity, and allows remote code execution by an unauthenticated attacker.
– Another flaw, CVE-2024-36104, has also been identified as a patch bypass for remote code execution via specially crafted requests.
– A third flaw impacting Apache OFBiz, CVE-2024-32113, has been placed in the Known Exploited Vulnerabilities (KEV) catalog after being abused to deploy the Mirai botnet.
– While there are no public reports of active exploitation of CVE-2024-38856, proof-of-concept (PoC) exploits are available.
– Organizations are advised to update to version 18.12.15 to mitigate against the threats, and Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the necessary updates by September 17, 2024.