The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions.
Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. It affects versions 2.0.X, 2.1.X, and 2.2.X.
“The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses,” the project maintainers said in an advisory released on December 25, 2024.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.”
However, it bears noting that the vulnerability is exploitable only if the “IoBuffer#getObject()” method is invoked in combination with certain classes such as ProtocolCodecFilter and ObjectSerializationCodecFactory.
“Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods,” Apache said.
The disclosure comes days after the ASF remediated multiple flaws spanning Tomcat (CVE-2024-56337), Traffic Control (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441).
Earlier this month, Apache also fixed a critical security flaw in the Struts web application framework (CVE-2024-53677) that an attacker could abuse to obtain remote code execution. Active exploitation attempts have since been detected.
Users of these products are strongly advised to update their installations to the latest versions as soon as possible to safeguard against potential threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Brazilian Hacker Charged for Extorting $3.2M in Bitcoin After Breaching 300,000 Accounts