Patch Now: Singapore’s Cyber Security Agency Flags Critical Apache Flaws

• Three critical Apache vulnerabilities need urgent patching: HugeGraph-Server, Traffic Control, and MINA.
• These flaws enable authentication bypass, SQL injection, and remote code execution, respectively.
• Fixes are now available, and users are advised to patch immediately.

An urgent advisory highlighting several critical security vulnerabilities in Apache software products addresses the vulnerabilities tracked as CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046. These pose significant risks to organizations and users who depend on these tools. 

The Cyber Security Agency of Singapore has issued the advisory, while the Apache Software Foundation has released patches for CVE-2024-43441 - Apache HugeGraph-Server, CVE-2024-45387 - Apache Traffic Control, and CVE-2024-52046 - Apache MINA. Immediate action is recommended to mitigate potential threats.

CVE-2024-43441 affects Apache HugeGraph-Server, a graph database server widely used for managing complex data relationships. The vulnerability allows attackers to bypass authentication mechanisms, potentially granting unauthorized access to sensitive systems and data. 

Successful exploitation could allow malicious actors to access restricted systems without valid credentials. The flaw affects HugeGraph-Server versions prior to 1.5.0, and users must update to version 1.5.0 or later.

CVE-2024-45387 has been identified in Apache Traffic Control, a tool commonly employed to manage and optimize content delivery networks (CDNs). Specifically, the flaw impacts Traffic Ops, a core component used for CDN configuration and management.

This vulnerability enables SQL injection attacks, which could result in unauthorized data access, modification, or even full database compromise. It impacts Apache Traffic Control versions 8.0.0 to 8.0.1, and users are advised to update to versions beyond 8.0.1 to mitigate these risks.

CVE-2024-52046 affects Apache MINA, a network application framework used across a range of applications. The issue stems from improper handling of Java’s deserialization protocol, which attackers can exploit by sending maliciously crafted serialized data.

Successful exploitation could enable remote code execution (RCE), potentially leading to full system compromise. Apache MINA versions prior to 2.0.27, 2.1.10, and 2.24 are affected. To prevent unbounded deserialization, it is necessary to update to the latest versions (2.0.27, 2.1.10, or 2.24) and configure further security.

By default, Apache MINA now rejects all deserialization unless administrators actively establish permitted exceptions. It is also critical to note that sub-projects of Apache MINA, such as FtpServer, SSHd, and Vysper, are not affected by this vulnerability.

Recently, SQL injection, weak credentials on SSH, and code injection in user portal vulnerabilities were fixed by Sophos.