The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical vulnerability affecting Apache HugeGraph-Server, which has now been actively exploited.
The vulnerability, tracked as CVE-2024-27348, is a remote code execution (RCE) flaw that has been identified in Apache HugeGraph-Server versions ranging from 1.0.0 up to, but not including, 1.3.0. This flaw has been rated as critical, with a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8, highlighting the severity of the potential damage that could result from its exploitation.
Apache users urged to implement Java 11
According to CISA, the vulnerability arises from improper access control within the affected versions of HugeGraph-Server, an open-source graph database designed to manage large-scale graph data. Apache addressed this issue on 22 April 2024 by releasing version 1.3.0, which fixes the flaw.
Users have been urged to upgrade to this version to mitigate the risk of exploitation. Additionally, Apache has recommended that users implement Java 11 and enable the authentication system (Auth) to further protect their systems.
Another key suggestion for improving security has been to activate the “Whitelist-IP/port” function, which would add an extra layer of protection by securing the RESTful API execution, an element of the system that could otherwise be vulnerable to attack chains.
CISA’s alert highlights that the active exploitation of CVE-2024-27348 has been observed in real-world environments. The agency has set a deadline for federal agencies and critical infrastructure organisations to apply the necessary updates or discontinue using vulnerable versions of the software by 9 October 2024. Failure to do so could expose these organisations to significant security risks, particularly given the widespread use of Apache HugeGraph-Server in high-stakes industries.
Apache HugeGraph-Server core to telecoms, financial services needs
Apache HugeGraph-Server is a core part of the Apache HugeGraph project, which is widely used for handling complex operations in large-scale graph data. Its applications include deep relationship analysis, data clustering, and path searches, making it valuable for industries that rely on complex data processing and high-performance systems.
Telecom providers use the product for fraud detection and network analysis, while the financial sector employs it for managing risks and analysing transaction patterns. Additionally, social media platforms utilise the technology for connection analysis and to power automated recommendation systems. Given the critical roles this product plays across various industries, the need to apply security patches and mitigate the vulnerability cannot be understated.
In addition to CVE-2024-27348, CISA has added four other vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue. These include CVE-2020-0618, a remote code execution vulnerability affecting Microsoft SQL Server Reporting Services; CVE-2019-1069, which involves a privilege escalation vulnerability in Microsoft Windows Task Scheduler; CVE-2022-21445, a remote code execution flaw in Oracle JDeveloper; and CVE-2020-14644, another remote code execution vulnerability impacting Oracle WebLogic Server.
Although these additional vulnerabilities are not currently under active exploitation, their inclusion in the KEV catalogue serves to document security flaws that have been exploited in the past. This ensures that organisations remain aware of potential weaknesses in their systems and take the necessary steps to protect themselves from historical vulnerabilities that may still be relevant today.
Earlier this week, CISA instructed American federal agencies to secure their systems against a recently patched Windows MSHTML spoofing vulnerability, which had been exploited by the Void Banshee advanced persistent threat (APT) group. The vulnerability, identified as CVE-2024-43461, was first revealed in Microsoft’s Patch Tuesday updates for September 2024. While initially believed to be unexploited, Microsoft later confirmed that the flaw had been actively targeted before the release of the patch.
Read more: FCC imposes $13m penalty on AT&T over 2023 vendor data breach
