The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert regarding two vulnerabilities currently being exploited in cyberattacks. One of these flaws affects Apache OFBiz, a popular open-source enterprise resource planning system.
The Apache OFBiz vulnerability (CVE-2024-32113) is a path traversal flaw affecting versions before 18.12.13. It could allow attackers to remotely execute arbitrary commands on vulnerable servers.
Federal agencies and state organizations have until August 28, 2024, to apply security updates or discontinue using the affected product. The same deadline applies to a second vulnerability (CVE-2024-36971) in the Android kernel, which was also added to the KEV.
Security researchers have published detailed exploitation methods for the OFBiz flaw, increasing the risk of widespread attacks. Additionally, a newer, critical vulnerability in Apache OFBiz (CVE-2024-38856) was recently discovered, affecting versions up to 18.12.14. This pre-authentication remote code execution flaw has not yet been added to the KEV but poses a significant risk.
Users are strongly advised to upgrade to OFBiz version 18.12.15, which addresses both vulnerabilities. CISA's warning underscores the importance of prompt patching and continuous monitoring of enterprise software for security updates. Organizations using Apache OFBiz should take immediate action to mitigate these risks.
