Apache highlights significant vulnerabilities in MINA, HugeGraph, and Traffic Control 2024

Apache Software Foundation (ASF) has released security updates to address three critical issues affecting the MINA, HugeGraph-Server, and Traffic Control products.

The first vulnerability, related to MINA, has been patched in new software versions released between December 23 and 25, 2024. However, the holiday season may result in slower update rates, increasing the risk of exploitation. One of the bugs, identified as CVE-2024-52046, affects MINA versions 2.0 to 2.0.26, 2.1 to 2.1.9, and 2.2 to 2.2.3. This issue received a critical severity score of 10 out of 10 from ASF.

CVE Record Information

Apache MINA is a network application framework that provides an abstraction layer for developing high-performance and scalable network applications.

The latest issue lies in the ‘ObjectSerializationDecoder,’ caused by unsafe Java deserialization, potentially leading to remote code execution (RCE). The Apache team explained that this vulnerability can be exploited if the ‘IoBuffer#getObject()’ method is used in conjunction with certain classes.

Apache addressed the issue by releasing versions 2.0.27, 2.1.10, and 2.2.4, which enhanced the vulnerable component with stricter default security settings.

However, upgrading to these versions alone is not enough. Users must also manually configure the rejection of all classes unless explicitly allowed by following one of the three provided methods.

The second vulnerability, affecting Apache HugeGraph-Server versions 1.0 to 1.3, is an authentication bypass issue tracked as CVE-2024-43441. This issue is caused by improper validation of authentication logic.

CVE Record Information

Apache HugeGraph-Server is a graph database server that enables efficient storage, querying, and analysis of graph-based data. The authentication bypass issue has been addressed in version 1.5.0, which is the recommended update target for HugeGraph-Server users.

“The third vulnerability is identified as CVE-2024-45387, with a critical severity score of 9.9 from ASF. It is an SQL injection issue impacting Traffic Ops versions 8.0.0 to 8.0.1. This vulnerability allows privileged users with roles such as ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering’ to execute arbitrary SQL commands on the database by sending specially crafted ‘PUT’ requests,” the project maintainers stated in an advisory.

Apache Traffic Control is a management and optimization tool for content delivery networks (CDNs). The project was announced as a top-level project (TLP) by ASF in June 2018.

Yuan Luo, a researcher from Tencent YunDing Security Lab., is credited with discovering and reporting this vulnerability. The issue has been patched in Apache Traffic Control version 8.0.2, released earlier this week. The Apache team noted that versions 7.0.0 through 8.0.0 are not affected.

System administrators are strongly advised to update to the latest product versions as soon as possible, especially since attackers often target such periods when companies have fewer employees on duty and slower response times.

Source:
https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.html
https://www.bleepingcomputer.com/news/security/apache-warns-of-critical-flaws-in-mina-hugegraph-traffic-control/
https://www.bleepingcomputer.com/news/security/apache-fixes-remote-code-execution-bypass-in-tomcat-web-server/
https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html
https://nvd.nist.gov/vuln/detail/CVE-2024-52046
https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-fortiwlm-bug-giving-hackers-admin-privileges/