Vulnerability Overview

Apache OFBiz, a widely used open-source ERP platform, has a critical vulnerability CVE-2024-38856 which allows remote command execution (RCE). This flaw enables attackers to run arbitrary commands on the server, potentially leading to full system compromise.

This blog will demonstrate how to exploit this vulnerability in a Kubernetes environment and show how AccuKnox Runtime Security can mitigate the attack in real-time.

The vulnerability stems from Apache OFBiz’s handling of user inputs, enabling attackers to send specially crafted requests that can execute arbitrary commands. This command execution could lead to unauthorized access and control over the system. The flaw is found in all versions of OFBiz before the patch.

CVSS Information

Severity: Critical (CVSS 9.8/10)
Affected Versions: Apache OFBiz (versions before 18.12.14)
Root Cause: Improper handling of user inputs, allowing command injection
Potential Impact: Remote command execution (RCE), unauthorized access to the system

Simulating the Attack in a Kubernetes Cluster

To demonstrate the impact of CVE-2024-38856, we’ve deployed Apache OFBiz (version 18.12) to a Kubernetes (K8s) cluster.

With Apache OFBiz running in our Kubernetes cluster, we will exploit CVE-2024-38856 to attempt to execute unauthorized commands, and we will use the proof-of-concept (PoC) script to demonstrate this attack. Detailed instructions and the PoC script can be found at this link.

python3 -u cve-2024-38856_Scanner.py --target https://ofbiz:8443/ --exploit -c "whoami"

The command is executed successfully, revealing the current user and confirming the exploitability of the vulnerability.

Defend with AccuKnox Runtime Security

AccuKnox Runtime Security provides powerful, real-time protection against unauthorized or malicious activities by enforcing security policies directly in your environment. By integrating AccuKnox’s policies, you can proactively block exploitation attempts and secure sensitive files from unauthorized access.

Let’s walk through the steps to protect Jenkins from such attacks using AccuKnox Runtime Security:

1. Ensure AccuKnox Runtime Security is Configured
   Verify that AccuKnox Runtime Security is installed and configured on your Kubernetes cluster to enable security enforcement.

2. Navigate to Policies
   In the AccuKnox dashboard, go to the Policies section under the Runtime Security tab.

3. Upload or Edit a Policy for Jenkins
   Upload a pre-configured policy or use the policy editor to create a custom policy for Apache OFBiz. And activate the policy.

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ofbiz-policy-disallow-exec
  namespace: demo
spec:
  selector:
    matchLabels:
      app: ofbiz
  severity: 1
  message: "disallow execing from java process"
  process:
    matchDirectories:
    - dir: /usr/bin/
      recursive: true
      fromSource:
      - path: /opt/java/openjdk/bin/java
  action:
    Block

To block unauthorized command executions, we created a custom policy within AccuKnox that targets the Java process running OFBiz. The policy ensures that no unauthorized commands can be executed from /usr/bin/, where OFBiz interacts with system processes.

Once AccuKnox Runtime Security policies are enforced, the attempt to execute system commands, such as the whoami command, is blocked, preventing unauthorized access and execution, and ensuring the integrity of the system.

After the policy enforcement, an alert is triggered in the AccuKnox SaaS dashboard, notifying us of the blocked access attempt. The alert provides detailed information about the blocked activity, including the source of the request that was protected.

CVE-2024-38856 highlights a significant vulnerability in Apache OFBiz that could be exploited for remote code execution. By leveraging AccuKnox Runtime Security, we were able to block this attack in real-time and gain complete visibility into the threat through the SaaS dashboard.

You can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.