August 29, 2024 at 03:30PM
CISA has added a critical security flaw in the Apache OFBiz open source ERP system to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2024-38856, the bug carries a score of 9.8 out of 10 on the CVSS scale, enabling pre-authentication RCE. Organizations must update to version 18.12.15 by Sept. 17 to mitigate the threat.
Key Takeaways from the Meeting Notes:
1. CISA has added a critical security flaw in the Apache OFBiz ERP system to its Known Exploited Vulnerabilities (KEV) catalog.
2. The bug, tracked as CVE-2024-38856, has a severity score of 9.8 out of 10 and allows pre-authentication remote code execution (RCE).
3. Organizations should update to version 18.12.15 by September 17 to mitigate the threat.
4. CVE-2024-36104 allows remote attackers to access system directories, and CVE-2024-38856 permits unauthenticated access, potentially enabling arbitrary code execution.
5. Failure to upgrade could enable threat actors to manipulate login parameters and execute arbitrary code on the target server.
6. No interim patches are available, and users must upgrade to the latest version to prevent potential exploitation of the flaws.
These are the key points to be aware of regarding the security flaw in the Apache OFBiz system and the necessary measures to mitigate the associated risks.