The Apache Software Foundation (ASF) has acted to address three critical vulnerabilities across widely-used software solutions, namely MINA, HugeGraph-Server, and Traffic Control. The patches, released between 23 and 25 December, address severe vulnerabilities, including remote code execution (RCE), authentication bypass, and SQL injection. Organisations are urged to act quickly to mitigate these risks, especially during the holiday period when response times are slower.
A major vulnerability, CVE-2024-52046, has been identified in Apache MINA, a framework used to develop high-performance and scalable network applications. This issue impacts versions 2.0 through 2.0.26, 2.1 through 2.1.9, and 2.2 through 2.2.3 and has been assigned the maximum severity score of 10 out of 10.
The flaw resides in the ObjectSerializationDecoder component, which uses Java’s deserialisation protocol to process serialised data. However, insufficient security measures in this component allow attackers to exploit the deserialisation process, sending malicious data to execute arbitrary code remotely. Apache has addressed this vulnerability by releasing MINA versions 2.0.27, 2.1.10, and 2.2.4, introducing stricter security configurations. However, simply upgrading is not enough. Administrators must actively configure the updated versions to reject all classes by default unless explicitly permitted. This can be achieved using new methods such as class name matchers, regular expressions, or wildcard patterns. Systems relying on the IoBuffer#getObject() method in combination with specific classes, like those in the ObjectSerializationCodecFactory, are particularly at risk without these additional measures.
Another critical issue, CVE-2024-43441, affects Apache HugeGraph-Server, a graph database server designed for the efficient storage and analysis of large-scale graph data. The flaw, present in versions 1.0 through 1.3, is caused by improper validation of authentication logic, enabling attackers to bypass authentication mechanisms. To address the problem, Apache has released HugeGraph-Server version 1.5.0, which includes enhanced authentication checks.
The third vulnerability, CVE-2024-45387, affects the Traffic Ops component of Apache Traffic Control, a platform used for managing and optimising content delivery networks (CDNs). The flaw impacts versions 8.0.0 and 8.0.1 and has been rated with a critical severity score of 9.9. The issue arises from inadequate sanitisation of SQL inputs, allowing users with specific roles, such as admin, operations, or steering, to execute arbitrary SQL commands via maliciously crafted PUT requests. Apache has resolved the problem in Traffic Control version 8.0.2, which administrators are urged to adopt immediately. Earlier versions, such as those in the 7.0.x series, are unaffected by this issue.
Holiday period heightens exploitation risks
The timing of these updates during the holiday season adds an extra layer of urgency. Many organisations operate with reduced staff over this period, potentially delaying the implementation of patches. This creates an ideal window for attackers to exploit unpatched vulnerabilities. Administrators of Apache MINA must not only upgrade to the latest versions but also ensure the required security configurations are applied to restrict deserialisation processes. Similarly, users of HugeGraph-Server and Traffic Control must transition to the updated versions to mitigate risks effectively.
Read more: Hackers exploit critical file upload flaw in Apache Struts framework
