- Apache Software Foundation discovered flaws in MINA, HugeGraph-Server, and Traffic Control
- One of the flaws was given a 10/10 severity score
- All bugs were patched, and admins are urged to apply the fixes ASAP
The Apache Software Foundation has released fixes for multiple vulnerabilities discovered in three different solutions: MINA, HugeGraph-Server, and Traffic Control. One of the flaws received a maximum 10/10 score.
Apache MINA is a network application framework that simplifies the development of high-performance and scalable communication protocols and applications by abstracting low-level I/O operations. Multiple versions (2.0 – 2.0.26, 2.1 – 2.1.9, and 2.2 – 2.2.3), were found vulnerable to a flaw that allowed threat actors to remotely execute arbitrary code, and as such, was given a severity score of 10/10.
It is tracked as CVE-2024-52046, and was addressed in versions 2.0.27, 2.1.10, and 2.2.4. However, as BleepingComputer reports, simply applying the patch will not suffice, since users also need to manually set the rejection of all classes, unless explicitly allowed by following one of three methods provided.
Attacks during winter holidays
Other two vulnerabilities are tracked as CVE-2024-43441, and CVE-2024-45387. The first, described as an authentication bypass issue, one was found in Apache HugeGraph-Server versions 1.0 – 1.3, and was addressed in version 1.5.0. The final one, an SQL injection vulnerability impacting Traffic Ops versions 8.0.0 – 8.0.1, was addressed in version 8.0.2. It was given a 9.9 critical severity score.
Winter holidays are notorious for being the time of the year when hackers are most active. With increased traffic, and many employees being on holiday leave, businesses are exposed more than usual. Cybercriminals are aware of this, and take advantage of the fact by launching devastating attacks, starting with Christmas eve onwards.
Therefore, Apache Software Foundation urged system administrators to upgrade their software to the latest version as soon as possible.
Via BleepingComputer