-3.5 C
Washington
Thursday, January 23, 2025

CVSS 10.0 Flaw Enables RCE via Unsafe Serialization

Must read

The Apache Software program Basis (ASF) has launched patches to deal with a most severity vulnerability within the MINA Java community software framework that would lead to distant code execution below particular circumstances.

Tracked as CVE-2024-52046, the vulnerability carries a CVSS rating of 10.0. It impacts variations 2.0.X, 2.1.X, and a pair of.2.X.

“The ObjectSerializationDecoder in Apache MINA makes use of Java’s native deserialization protocol to course of incoming serialized information however lacks the mandatory safety checks and defenses,” the undertaking maintainers stated in an advisory launched on December 25, 2024.

“This vulnerability permits attackers to take advantage of the deserialization course of by sending specifically crafted malicious serialized information, probably resulting in distant code execution (RCE) assaults.”

Nevertheless, it bears noting that the vulnerability is exploitable provided that the “IoBuffer#getObject()” methodology is invoked together with sure courses equivalent to ProtocolCodecFilter and ObjectSerializationCodecFactory.

“Upgrading won’t be sufficient: you additionally have to explicitly permit the courses the decoder will settle for within the ObjectSerializationDecoder occasion, utilizing one of many three new strategies,” Apache stated.

The disclosure comes days after the ASF remediated a number of flaws spanning Tomcat (CVE-2024-56337), Visitors Management (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441).

Earlier this month, Apache additionally mounted a important safety flaw within the Struts internet software framework (CVE-2024-53677) that an attacker might abuse to acquire distant code execution. Lively exploitation makes an attempt have since been detected.

Customers of those merchandise are strongly suggested to replace their installations to the most recent variations as quickly as potential to safeguard towards potential threats.

See also  Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

Related News

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News