The Apache Software program Basis (ASF) has launched patches to handle a most severity vulnerability within the MINA Java community utility framework that would lead to distant code execution below particular circumstances.
Tracked as CVE-2024-52046, the vulnerability carries a CVSS rating of 10.0. It impacts variations 2.0.X, 2.1.X, and a pair of.2.X.
“The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses,” the challenge maintainers mentioned in an advisory launched on December 25, 2024.
“This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.”
Nonetheless, it bears noting that the vulnerability is exploitable provided that the “IoBuffer#getObject()” methodology is invoked together with sure lessons resembling ProtocolCodecFilter and ObjectSerializationCodecFactory.
“Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods,” Apache mentioned.
The disclosure comes days after the ASF remediated a number of flaws spanning Tomcat (CVE-2024-56337), Visitors Management (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441).
Earlier this month, Apache additionally mounted a vital safety flaw within the Struts internet utility framework (CVE-2024-53677) that an attacker may abuse to acquire distant code execution. Energetic exploitation makes an attempt have since been detected.
Customers of those merchandise are strongly suggested to replace their installations to the most recent variations as quickly as doable to safeguard towards potential threats.
