Multiple Critical Vulnerabilities in Apache Products

The Apache Software Foundation has released security updates addressing critical vulnerabilities (CVE-2024-43441, CVE-2024-45387 and CVE-2024-52046) affecting various Apache products.

The vulnerabilities are:

• CVE-2024-43441: Successful exploitation of this vulnerability in Apache HugeGraph-Server, a graph database server, could allow an attacker to bypass existing authentication mechanism. This vulnerability affects HugeGraph-Server versions before 1.5.0.

• CVE-2024-45387: Successful exploitation of this vulnerability in Traffic Ops in Apache Traffic Control, which is a content delivery network (CDN) management and optimisation tool, could allow an attacker to perform SQL injection. This vulnerability affects Apache Traffic Control versions 8.0.0 to 8.0.1.

• CVE-2024-52046: Successful exploitation of this vulnerability in Apache MINA, a network application framework, could allow an attacker to exploit the deserialisation process by sending specially crafted malicious serialised data, potentially leading to remote code execution (RCE) attacks. This vulnerability affects MINA core versions before 2.0.27, 2.1.10 and 2.24. 

Users and administrators of affected product versions are advised to update to the latest version immediately. Additionally, for CVE-2024-52046, it should be noted that upgrading to the latest versions is insufficient. Users and administrators need to manually set the rejection of all classes unless explicitly allowed by following one of the three methods provided here.

More information is available here:

https://nvd.nist.gov/vuln/detail/CVE-2024-52046

https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8

https://nvd.nist.gov/vuln/detail/CVE-2024-43441

https://lists.apache.org/thread/h2607yv32wgcrywov960jpxhvsmmlf12

https://nvd.nist.gov/vuln/detail/CVE-2024-45387