False positives for Apache OFBiz CVE-2024-36104

Is anyone else getting a bunch of false positives from this new check? Since the check was released on the 5th Sept, it’s showing up all over my environment on machines that have no Apache OFBiz installed. For example, we have Cisco security appliances which are showing as positive
The Proof section is pretty vague. This is from one my my machines, but other machines are pretty identical results wise.

Running HTTPS service

HTTP POST request to https://x.x.x.x/webtools/control/forgotPassword/;/ProgramExport
HTTP response code was an expected 200

6 Likes

I agree. All of these seem to be false positives:

  • apache-ofbiz-cve-2024-32113
  • apache-ofbiz-cve-2024-36104
  • apache-ofbiz-cve-2024-45195
1 Like

Same experience with our platform. I think a 302 redirect followed by a 200 OK is triggering their proof for the vulns (HTTP POST request to https://IPADDRESS/webtools/control/forgotPassword/../ProgramExport)

1 Like

Similarly experiencing a huge number of false positives. The check seems to be extremely basic.

1 Like

Same here, will open a case with Rapid7 because this doesn’t look good

1 Like

I want to add to this as well. These are getting picked up from desktop assets to servers to networking equipment. We don’t use Apache OFBiz. I do plan to create a ticket to r7 regarding this. Maybe they can shed some light on how their check is running exactly.

Still no change in the detection logic, i have raised a ticket with them to address this so hopefully some progress will be made…

1 Like

After opening a ticket and providing some logs and additional proof that we are not utilizing this OFBiz software, the Rapid7 support engineer responded to my open ticket with the following this morning: “Our Engineering team is aware and actively working on a resolution. We will provide an update once more information becomes available.”

2 Likes

We have also opened a ticket about this and got today the notification, that it should be fixed:

“We’re pleased to let you know that our engineering team released a fix for this reported CVE related to Apache OFBiz.
You may run a scan to verify or wait for the next scheduled scan.”

1 Like

Same issue here with HTTP redirect and HTTPS to HTTPS redirect.

1 Like

Wanted to provide a quick update. After sending in a ticket with all the relevant logs, etc. r7 said it was fixed. Rescanned and sure enough, all OFBiz vulns went away.