Apache Foundation urges users to patch and fix major security vulnerabilities now
- Apache Software Foundation discovered errors in MINA, HugeGraph-Server and Traffic Control
- One of the shortcomings received a severity score of 10/10
- All bugs have been patched and administrators are urged to apply the improvements as soon as possible
The Apache Software Foundation has released fixes for multiple vulnerabilities discovered in three different solutions: MINA, HugeGraph-Server, and Traffic Control. One of the defects received a maximum score of 10/10.
Apache MINA is a network application framework that simplifies the development of high-performance and scalable communications protocols and applications by abstracting low-level I/O operations. Multiple versions (2.0 – 2.0.26, 2.1 – 2.1.9, and 2.2 – 2.2.3) were found to be vulnerable to a flaw that could allow remote threat actors to execute arbitrary code, and as such were rated 10 /10 severity.
It is tracked as CVE-2024-52046 and was addressed in versions 2.0.27, 2.1.10, and 2.2.4. However, if BleepingComputer reports, simply applying the patch is not enough, as users must also manually set the rejection of all classes unless explicitly allowed by following one of the three methods provided.
Attacks during winter holidays
Two other vulnerabilities are tracked as CVE-2024-43441 and CVE-2024-45387. The first, described as an authentication bypass issue, was found in Apache HugeGraph-Server versions 1.0 – 1.3, and was fixed in version 1.5.0. The latter, a SQL injection vulnerability affecting Traffic Ops versions 8.0.0 – 8.0.1, was addressed in version 8.0.2. It received a critical severity score of 9.9.
Winter holidays are known to be the time of year when hackers are most active. With traffic increasing and many employees on vacation, companies are more exposed than normal. Cybercriminals are aware of this and are taking advantage by launching devastating attacks, starting on Christmas Eve.
Therefore, Apache Software Foundation has urged system administrators to upgrade their software to the latest version as soon as possible.
Via BleepingComputer