The Apache Software program Basis (ASF) has launched patches to handle a most severity vulnerability within the MINA Java Community Utility Framework that might result in distant code execution below sure circumstances.
Tracked as CVE-2024-52046frailty has a CVSS rating of 10.0. This impacts variations 2.0.X, 2.1.X, and a pair of.2.X.
“The thing serialization decoder in Apache MINA makes use of Java’s native deserialization protocol to course of incoming serialized information however lacks essential safety checks and defenses,” challenge maintainers wrote in an advisory issued on December 25, 2024. mentioned
“This vulnerability permits attackers to take advantage of the deserialization course of by sending specifically crafted maliciously serialized information, probably resulting in distant code execution (RCE) assaults.”
Nonetheless, it notes that the vulnerability is barely exploitable if the “IoBuffer#getObject()” technique is used at the side of sure lessons comparable to ProtocolCodecFilter and ObjectSerializationCodecFactory.
“Upgrading will not be sufficient: you additionally must explicitly permit the lessons that the decoder object serialization will settle for within the decoder occasion, utilizing certainly one of three new strategies,” Apache mentioned.
This disclosure comes days after ASF patched a number of vulnerabilities in Tomcat (CVE-2024-56337), Visitors Management (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441). .
Earlier this month, Apache additionally fastened a important safety flaw within the Struts net software framework (CVE-2024-53677) that an attacker may exploit to attain distant code execution. Energetic exploit makes an attempt have since been detected.
Customers of those merchandise are strongly suggested to replace their installations to the newest model as quickly as doable to keep away from potential vulnerabilities.
