CVE-2024-38856

What is Apache OFBiz?

Apache OFBiz (Open For Business) is an open-source enterprise resource planning (ERP) and CRM framework widely used for e-commerce backends, order management, and business process automation. Many organizations run OFBiz as the backbone for their online storefronts and internal business operations. OFBiz has been a repeated target of attackers: CVE-2024-32113 (May 2024) and now CVE-2024-38856 (a patch bypass) demonstrate that its authentication and authorization mechanisms have had persistent weaknesses. The ProgramExport endpoint — which allows Groovy code execution — has been the attack surface for multiple critical OFBiz CVEs.

Overview

CVE-2024-38856 is an incorrect authorization vulnerability (CWE-863) in Apache OFBiz that effectively bypasses the authentication required for the ProgramExport endpoint. By using OFBiz's "view override" mechanism — a legitimate feature that allows overriding the view rendering path in a request — an unauthenticated attacker can reach ProgramExport without going through the authentication gate. The ProgramExport endpoint executes arbitrary Groovy code, turning the authorization bypass directly into unauthenticated remote code execution. This is a patch bypass: CVE-2024-32113 was the earlier path traversal to ProgramExport, and CVE-2024-38856 is a different technique achieving the same unauthorized access. CISA added it to KEV just 22 days after the fix, indicating rapid exploitation in the wild.

Affected Versions

Technical Details

The authorization bypass (CWE-863) exploits OFBiz's view override feature. In OFBiz, requests are typically structured as /webtools/control/<view> and authentication is checked based on the view being accessed. The view override mechanism allows a request to specify ?USERNAME=&PASSWORD=&requirePasswordChange=Y combined with a view override parameter that routes the request to a different view handler — bypassing the normal per-view authentication check that would otherwise block the ProgramExport endpoint.

ProgramExport endpoint: This OFBiz endpoint is designed for executing Groovy scripts for administrative and batch processing purposes. It accepts a groovyProgram parameter containing Groovy code that executes server-side. Without authentication gates, it is a direct command execution endpoint.

Exploit flow:

1. Attacker sends HTTP POST to /webtools/control/main?USERNAME=&PASSWORD=&requirePasswordChange=Y with a groovyProgram payload via the view override mechanism
2. Authentication check is bypassed — the request is processed as if the ProgramExport view was requested directly by an admin
3. Groovy code executes as the OFBiz server process user
4. Attacker establishes a web shell or reverse shell for persistent access

Relationship to CVE-2024-32113:

• CVE-2024-32113 (path traversal) was the original ProgramExport bypass, fixed in 18.12.13
• CVE-2024-38856 is a different technique (view override) achieving the same result, requiring 18.12.15 to fully close

Discovery

Hasib Vhora of SonicWall Threat Research Labs reported the vulnerability. Published details led to rapid exploitation.

Exploitation Context

CISA added CVE-2024-38856 to the KEV catalog on August 27, 2024 — only 22 days after the patch and 3 weeks after public disclosure. SonicWall and other researchers observed scanning and exploitation activity in August 2024. OFBiz instances exposed to the internet with the vulnerable ProgramExport endpoint were actively targeted for initial access. The rapid KEV listing indicates CISA had confirmed exploitation reports from government and critical infrastructure operators.

Remediation

1. Upgrade to Apache OFBiz 18.12.15 or later immediately. The CISA deadline was September 17, 2024.
2. If running 18.12.13 or 18.12.14, you are patched for CVE-2024-32113 but still vulnerable to CVE-2024-38856 — upgrade to 18.12.15 is required.
3. Restrict internet access to OFBiz — the /webtools/control/ProgramExport endpoint should not be accessible from untrusted networks. Place OFBiz behind a WAF or reverse proxy that blocks access to administrative endpoints.
4. Implement a WAF rule to block requests containing groovyProgram parameter or requests to the ProgramExport endpoint from non-administrative IP ranges.
5. Audit OFBiz application logs for POST requests to /webtools/control/main or /webtools/control/ProgramExport with unusual parameters from the August 2024 exposure window.
6. Check for web shells — CVE-2024-38856 exploitation often results in dropped web shell files in the OFBiz application directory.