The Cyber Security Agency of Singapore has issued a warning about several critical vulnerabilities found in Apache software products. The Apache Software Foundation has rolled out security patches addressing these vulnerabilities, which could pose risks to users and organizations relying on these tools. Among the affected vulnerabilities are CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046.
Overview of CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046
Among the Apache vulnerabilities, CVE-2024-43441 affects Apache HugeGraph-Server, a graph database server widely used for managing complex data relationships. This vulnerability allows attackers to bypass authentication mechanisms, potentially granting unauthorized access to sensitive data. It affects versions of HugeGraph-Server prior to 1.5.0. Successful exploitation of this flaw could allow malicious actors to gain access to restricted systems without providing valid credentials.
Another vulnerability, CVE-2024-45387, has been identified in Apache Traffic Control, a popular tool for managing and optimizing content delivery networks (CDNs). This vulnerability specifically impacts Traffic Ops, a key component of Apache Traffic Control, from versions 8.0.0 to 8.0.1. Attackers can exploit this flaw to perform SQL injection attacks, which could allow them to manipulate databases, potentially leading to unauthorized data access or modification.
The third critical vulnerability, CVE-2024-52046, is present in Apache MINA, a network application framework used in a wide range of applications. This vulnerability stems from improper handling of Java’s deserialization protocol, enabling attackers to send specially crafted serialized data.
By exploiting this issue, attackers could execute remote code on affected systems, which may result in full system compromise. This vulnerability affects Apache MINA versions prior to 2.0.27, 2.1.10, and 2.24. The exploitation of this flaw could lead to remote code execution (RCE) attacks, posing a serious risk to users of affected versions.
How to Mitigate the Risks Associated with these Apache Vulnerabilities?
For CVE-2024-43441, users and administrators of Apache HugeGraph-Server are advised to upgrade to version 1.5.0 or higher. This update addresses the authentication bypass issue, ensuring that unauthorized users cannot gain access to systems.
Similarly, CVE-2024-45387 in Apache Traffic Control requires users to update their systems to versions beyond 8.0.1 to protect against the SQL injection vulnerability. Failure to apply this patch could expose users to data manipulation or leakage.
However, CVE-2024-52046 in Apache MINA requires additional attention. In addition to upgrading to the latest versions (2.0.27, 2.1.10, or 2.24), administrators must take further steps to mitigate risks associated with unbounded deserialization. Specifically, the ObjectSerializationDecoder component in Apache MINA must be configured to reject all classes unless explicitly allowed. This can be done by utilizing one of three new methods to define acceptable classes for deserialization.
The three methods to restrict class deserialization are:
- accept(ClassNameMatcher classNameMatcher): Allows class names matching the supplied matcher.
- accept(Pattern pattern): Accepts class names that match a Java regular expression pattern.
- accept(String… patterns): Accepts wildcard patterns for class names during deserialization.
By default, Apache MINA’s deserialization process rejects all incoming classes, but administrators must actively configure exceptions to ensure security. Additionally, it’s important to note that certain sub-projects of Apache MINA, such as FtpServer, SSHd, and Vysper, are not affected by this vulnerability.
Expert Opinions and User Guidance
Emmanuel Lécharny, a user and contributor to Apache MINA, provided further insights into the risks posed by CVE-2024-52046. He emphasized that MINA applications relying on unbounded deserialization could expose systems to RCE attacks if the vulnerability is exploited. Lécharny’s post highlighted the significance of upgrading to the latest versions of Apache MINA and configuring the necessary security measures to safeguard systems from this critical flaw.
Broader Context and Previous Vulnerabilities
These Apache vulnerabilities are not isolated incidents in the Apache ecosystem. Earlier in 2024, The Cyber Express reported a similar issue with CVE-2024-38856, a vulnerability affecting Apache OFBiz, an open-source enterprise resource planning (ERP) system.
This flaw was identified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as part of its Known Exploited Vulnerabilities (KEV) catalog. It was noted that CVE-2024-38856 posed online threats as it allowed attackers to execute remote code without authentication, with a CVSS score of 9.8, classifying it as critical. Organizations using Apache OFBiz were urged to upgrade to version 18.12.15 to resolve the vulnerability.
