The Apache Software program Basis (ASF) has launched patches to deal with a most severity vulnerability within the MINA Java community utility framework that would lead to distant code execution underneath particular situations.
Tracked as CVE-2024-52046, the vulnerability carries a CVSS rating of 10.0. It impacts variations 2.0.X, 2.1.X, and a pair of.2.X.
“The ObjectSerializationDecoder in Apache MINA makes use of Java’s native deserialization protocol to course of incoming serialized information however lacks the required safety checks and defenses,” the venture maintainers stated in an advisory launched on December 25, 2024.
“This vulnerability permits attackers to use the deserialization course of by sending specifically crafted malicious serialized information, doubtlessly resulting in distant code execution (RCE) assaults.”
Nevertheless, it bears noting that the vulnerability is exploitable provided that the “IoBuffer#getObject()” technique is invoked together with sure lessons corresponding to ProtocolCodecFilter and ObjectSerializationCodecFactory.
“Upgrading is not going to be sufficient: you additionally must explicitly permit the lessons the decoder will settle for within the ObjectSerializationDecoder occasion, utilizing one of many three new strategies,” Apache stated.
The disclosure comes days after the ASF remediated a number of flaws spanning Tomcat (CVE-2024-56337), Site visitors Management (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441).
Earlier this month, Apache additionally fastened a essential safety flaw within the Struts net utility framework (CVE-2024-53677) that an attacker may abuse to acquire distant code execution. Energetic exploitation makes an attempt have since been detected.
Customers of those merchandise are strongly suggested to replace their installations to the newest variations as quickly as attainable to safeguard towards potential threats.
