CISA warns of actively exploited Apache HugeGraph-Server bug

The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server.

The flaw, tracked as CVE-2024-27348 and rated critical (CVSS v3.1 score: 9.8), is an improper access control vulnerability that impacts HugeGraph-Server versions from 1.0.0 and up to, but not including 1.3.0.

Apache fixed the vulnerability on April 22, 2024, with the release of version 1.3.0. Apart from upgrading to the latest version, users were also recommended to use Java 11 and enable the Auth system.

Also, enabling the “Whitelist-IP/port” function was proposed to improve the security of the RESTful-API execution, which was involved in potential attack chains.

Now, CISA has warned that active exploitation of CVE-2024-27348 has been observed in the wild, giving federal agencies and other critical infrastructure organizations until October 9, 2024, to apply mitigations or discontinue the use of the product.

Apache HugeGraph-Server is the core component of the Apache HugeGraph project, an open-source graph database designed for handling large-scale graph data with high performance and scalability, supporting complex operations required in deep relationship exploitation, data clustering, and path searches.

The product is used, among others, by telecom providers for fraud detection and network analysis, financial services for risk control and transaction pattern analysis, and social networks for connection analysis and automated recommendation systems.

With active exploitation underway and the product used in apparently high-value enterprise environments, applying the available security updates and mitigations as soon as possible is exigent.

The other four flaws added to KEV this time are:

CVE-2020-0618: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
CVE-2019-1069: Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
CVE-2022-21445: Oracle JDeveloper Remote Code Execution Vulnerability
CVE-2020-14644: Oracle WebLogic Server Remote Code Execution Vulnerability

The inclusion of these older vulnerabilities is not an indication of recent exploitation but serves to enrich the KEV catalog by documenting security flaws that were confirmed to have been used in attacks at some point in the past.

Bill Toulas

Leave a Comment Cancel Reply

London, GB

3:11 am, Jan 26, 2025

2°C

L: -0° | H: 3°

Feels like 0°C° scattered clouds

Humidity: 80 %

Pressure: 1007 mb

Wind: 3 mph WSW

Wind Gust: 9 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 30%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 7:47 am

Sunset: 4:38 pm

DailyHourly

Daily ForecastHourly Forecast

Today 9:00 pm

-0° | 3°°C 1 mm 100% 19 mph 93 % 1006 mb 0 mm/h

Tomorrow 9:00 pm

6° | 8°°C 1 mm 100% 22 mph 90 % 984 mb 0 mm/h

Tue Jan 28 9:00 pm

7° | 9°°C 1 mm 100% 21 mph 86 % 996 mb 0 mm/h

Wed Jan 29 9:00 pm

5° | 7°°C 1 mm 100% 15 mph 93 % 1001 mb 0 mm/h

Thu Jan 30 9:00 pm

3° | 6°°C 0.93 mm 93% 10 mph 95 % 1023 mb 0 mm/h

Today 6:00 am

2° | 4°°C 0 mm 0% 9 mph 81 % 1006 mb 0 mm/h

Today 9:00 am

4° | 5°°C 0 mm 0% 14 mph 77 % 1003 mb 0 mm/h

Today 12:00 pm

6° | 6°°C 0 mm 0% 17 mph 81 % 997 mb 0 mm/h

Today 3:00 pm

5° | 5°°C 1 mm 100% 19 mph 93 % 990 mb 0 mm/h

Today 6:00 pm

8° | 8°°C 1 mm 100% 14 mph 84 % 988 mb 0 mm/h

Today 9:00 pm

9° | 9°°C 0 mm 0% 16 mph 79 % 986 mb 0 mm/h

Tomorrow 12:00 am

8° | 8°°C 1 mm 100% 20 mph 90 % 979 mb 0 mm/h

Tomorrow 3:00 am

7° | 7°°C 1 mm 100% 14 mph 77 % 982 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€99,743.84	0.20%
Ethereum(ETH)	€3,170.69	1.06%
XRP(XRP)	€2.97	0.16%
Tether(USDT)	€0.95	-0.01%
Solana(SOL)	€243.50	2.23%
Dogecoin(DOGE)	€0.336884	1.13%
USDC(USDC)	€0.95	-0.01%
Shiba Inu(SHIB)	€0.000019	0.07%
Pepe(PEPE)	€0.000014	-0.40%
Peanut the Squirrel(PNUT)	€0.341643	3.03%

CISA warns of actively exploited Apache HugeGraph-Server bug

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us