The Apache Software program Basis (ASF) has launched patches to deal with a most severity vulnerability within the MINA Java community utility framework that might end in distant code execution below particular circumstances.
Tracked as CVE-2024-52046, the vulnerability carries a CVSS rating of 10.0. It impacts variations 2.0.X, 2.1.X, and a pair of.2.X.
“The ObjectSerializationDecoder in Apache MINA makes use of Java’s native deserialization protocol to course of incoming serialized information however lacks the required security checks and defenses,” the mission maintainers stated in an advisory launched on December 25, 2024.
“This vulnerability permits attackers to take advantage of the deserialization course of by sending specifically crafted malicious serialized information, probably resulting in distant code execution (RCE) assaults.”
Nevertheless, it bears noting that the vulnerability is exploitable provided that the “IoBuffer#getObject()” methodology is invoked together with sure courses resembling ProtocolCodecFilter and ObjectSerializationCodecFactory.
“Upgrading is not going to be sufficient: you additionally have to explicitly permit the courses the decoder will settle for within the ObjectSerializationDecoder occasion, utilizing one of many three new strategies,” Apache stated.
The disclosure comes days after the ASF remediated a number of flaws spanning Tomcat (CVE-2024-56337), Site visitors Management (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441).
Earlier this month, Apache additionally mounted a vital security flaw within the Struts net utility framework (CVE-2024-53677) that an attacker may abuse to acquire distant code execution. Energetic exploitation makes an attempt have since been detected.
Customers of those merchandise are strongly suggested to replace their installations to the most recent variations as quickly as attainable to safeguard towards potential threats.
