Apache OFBiz RCE (CVE-2024-32113/CVE-2024-36104/CVE-2024-38856)
Description
Apache OFBiz contains multiple authentication bypass vulnerabilities (CVE-2024-32113, CVE-2024-36104, CVE-2024-38856) that allow remote code execution. Attackers can exploit path traversal weaknesses to bypass authentication mechanisms using specially crafted HTTP requests, gaining unauthorized administrative access to the application without requiring valid credentials.
Remediation
Upgrade Apache OFBiz to version 18.12.15 or later, which addresses all three CVEs (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856). Note that version 18.12.14 only patches CVE-2024-32113 and CVE-2024-36104, leaving systems vulnerable to CVE-2024-38856. Download the latest release from the official Apache OFBiz website, test the upgrade in a non-production environment first, then apply to production systems. As an interim mitigation if immediate patching is not possible, restrict network access to OFBiz instances using firewall rules or VPN requirements to limit exposure to trusted IP addresses only.