Apache OfBiz Critical Update - 20241121001 (#1105)

wagov · Nov 21, 2024 · 39c643a · 39c643a
1 parent 9c6fb19
commit 39c643a
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/docs/advisories/20241121001-Apache-OfBiz-Critical-Update.md b/docs/advisories/20241121001-Apache-OfBiz-Critical-Update.md
@@ -0,0 +1,22 @@
+# Apache OfBiz Critical Update - 20241121001
+
+## Overview
+
+The Apache Software Foundation has released important security updates to address two critical vulnerabilities in Apache OFBiz. The vulnerabilities could allow an attacker to perform arbitrary code execution on vulnerable systems and potentially compromise sensitive data.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s) | CVE                                                                                                                                      | CVSS         | Severity                                                       |
+| ------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------- |
+| Apache OFBiz    | Prior to version 18.12.17    | [CVE-2024-47208](https://nvd.nist.gov/vuln/detail/CVE-2024-47208)  <br>[CVE-2024-48962](https://nvd.nist.gov/vuln/detail/CVE-2024-48962)     | **9.8** <br>8.9          | **Critical** <br>High                                   |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- Apache: <https://ofbiz.apache.org/security.html>
+