Cyber Security Agency of Singapore Warns of Exploited Apache Vulnerabilities in 2024
Overview
The Cyber Security Agency of Singapore (CSA) has alerted users of multiple vulnerabilities in Apache software. According to the alert, three Apache vulnerabilities have been reported, including CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046. In late 2024, the Apache Software Foundation released security updates for several of its widely used products to address critical vulnerabilities.
These vulnerabilities, identified as CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046, affect Apache HugeGraph, Apache Traffic Control, and Apache MINA. Exploitation of these vulnerabilities could lead to severe security risks, including remote code execution (RCE), authentication bypasses, and SQL injection attacks.
Details of the Apache Vulnerabilities
Here are the vulnerabilities identified in the Apache software:
CVE-2024-43441: Authentication Bypass in Apache HugeGraph
The first critical vulnerability, CVE-2024-43441, impacts Apache HugeGraph-Server, a graph database server. This flaw allows an attacker to bypass existing authentication mechanisms in versions prior to 1.5.0. Apache HugeGraph, which is used for managing and querying large-scale graph data, could become an easy target for attackers if this vulnerability is exploited.
By bypassing authentication, an attacker could gain unauthorized access to sensitive data or modify the server’s configuration, potentially disrupting the services relying on HugeGraph. Users and administrators are urged to update to version 1.5.0 or higher to mitigate the risk posed by this vulnerability.
CVE-2024-45387: SQL Injection in Apache Traffic Control
Another vulnerability, CVE-2024-45387, affects Apache Traffic Control, a tool used for managing content delivery networks (CDNs). This vulnerability exists in the Traffic Ops component of Apache Traffic Control, which is responsible for the management and optimization of traffic routing across CDN servers. The flaw allows attackers to perform SQL injection attacks in versions 8.0.0 to 8.0.1.
SQL injection is one of the most well-known forms of attack, allowing attackers to manipulate database queries by inserting malicious SQL code. If successfully exploited, this vulnerability could allow an attacker to gain access to or manipulate the underlying database of an organization’s CDN, potentially compromising sensitive information or altering configurations. Users of affected versions are strongly advised to upgrade to later versions as soon as possible to patch this vulnerability.
CVE-2024-52046: Remote Code Execution in Apache MINA
Perhaps the most critical of the three vulnerabilities, CVE-2024-52046, affects Apache MINA, a network application framework used to build scalable and high-performance network applications. This vulnerability is particularly severe because it allows remote code execution (RCE) attacks due to improper handling of serialized data.
Apache MINA uses Java’s native deserialization protocol to process incoming serialized data. However, due to a lack of necessary security checks, attackers can exploit this flaw by sending specially crafted malicious serialized data, leading to RCE. This flaw affects versions of MINA core prior to 2.0.27, 2.1.10, and 2.24.
Remote code execution is one of the most dangerous types of vulnerabilities, as it allows attackers to execute arbitrary code on the affected system, potentially leading to full system compromise. For applications using Apache MINA, it is essential to upgrade to the latest versions (2.0.27, 2.1.10, or 2.24) and, in some cases, apply additional mitigation steps.
Users must explicitly configure the system to reject all deserialization requests unless they come from a trusted source. This additional step is necessary because simply upgrading the software will not be sufficient to fully secure the system.
Detailed Instructions for Mitigation of CVE-2024-52046
The CVE-2024-52046 vulnerability requires users to not only upgrade to the latest version of Apache MINA but also manually configure the deserialization process to limit which classes are accepted. The update includes three methods for controlling which classes the ObjectSerializationDecoder will accept:
- ClassNameMatcher: Accept class names that match a specified pattern.
- Pattern: Accept class names that match a regular expression pattern.
- String Patterns: Accept class names that match a wildcard pattern.
By default, the decoder will reject all classes unless explicitly allowed, making it critical to follow these instructions to properly secure systems that use Apache MINA. It is also important to note that certain sub-projects, such as FtpServer, SSHd, and Vysper, are not affected by this vulnerability.
Emmanuel Lécharny, a user and contributor on the Apache MINA mailing list, noted the risk of RCE attacks associated with this issue. In his post dated December 25, 2024, he stressed the importance of upgrading to the latest versions of Apache MINA and applying the necessary security settings to protect against exploitation.
Conclusion
To protect their infrastructure, organizations relying on Apache products must take immediate action to address these vulnerabilities. For CVE-2024-43441, updating to Apache HugeGraph-Server version 1.5.0 or later is essential to resolve the authentication bypass issue.
Organizations should also upgrade to a version of Apache Traffic Control newer than 8.0.1 to mitigate the SQL injection vulnerability in CVE-2024-45387. For CVE-2024-52046 in Apache MINA, upgrading to the latest versions (2.0.27, 2.1.10, or 2.24) and configuring the deserialization process to restrict accepted classes is critical.
Keeping systems up-to-date with the latest security patches and updates from the Apache Software Foundation is key to defending against active exploitation of these vulnerabilities. Proactively applying these measures will significantly reduce the risk of attacks and ensure a more secure environment.
References:
The post Cyber Security Agency of Singapore Warns of Exploited Apache Vulnerabilities in 2024 appeared first on Cyble.
Blog – Cyble – Read More
