Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization

Teilen:

The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions.

Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. It affects versions 2.0.X, 2.1.X, and 2.2.X.

“The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses,” the project maintainers said in an advisory released on December 25, 2024.

“This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.”

However, it bears noting that the vulnerability is exploitable only if the “IoBuffer#getObject()” method is invoked in combination with certain classes such as ProtocolCodecFilter and ObjectSerializationCodecFactory.

“Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods,” Apache said.

The disclosure comes days after the ASF remediated multiple flaws spanning Tomcat (CVE-2024-56337), Traffic Control (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441).

Earlier this month, Apache also fixed a critical security flaw in the Struts web application framework (CVE-2024-53677) that an attacker could abuse to obtain remote code execution. Active exploitation attempts have since been detected.

Users of these products are strongly advised to update their installations to the latest versions as soon as possible to safeguard against potential threats.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
10:19 am, Feb. 6, 2025
Wetter-Symbol 4°C
L: 3° | H: 5°
klarer Himmel
Luftfeuchtigkeit: 90 %
Druck: 1043 mb
Wind: 5 mph NE
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 0%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 7:30 am
Sonnenuntergang: 4:58 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
3° | 5°°C 0 mm 0% 12 mph 83 % 1043 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
3° | 4°°C 1 mm 100% 13 mph 96 % 1036 mb 0 mm/h
Sa. Feb. 08 9:00 pm
Wetter-Symbol
4° | 6°°C 1 mm 100% 13 mph 96 % 1028 mb 0 mm/h
So. Feb. 09 9:00 pm
Wetter-Symbol
4° | 6°°C 0 mm 0% 14 mph 94 % 1038 mb 0 mm/h
Mo. Feb. 10 9:00 pm
Wetter-Symbol
2° | 5°°C 1 mm 100% 13 mph 96 % 1036 mb 0.3 mm/h
Today 12:00 pm
Wetter-Symbol
5° | 7°°C 0 mm 0% 9 mph 80 % 1043 mb 0 mm/h
Today 3:00 pm
Wetter-Symbol
7° | 8°°C 0 mm 0% 10 mph 69 % 1041 mb 0 mm/h
Today 6:00 pm
Wetter-Symbol
6° | 6°°C 0 mm 0% 11 mph 76 % 1040 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 12 mph 83 % 1038 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
4° | 4°°C 0 mm 0% 12 mph 81 % 1036 mb 0 mm/h
Tomorrow 3:00 am
Wetter-Symbol
3° | 3°°C 0 mm 0% 11 mph 81 % 1033 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
4° | 4°°C 0 mm 0% 12 mph 75 % 1030 mb 0 mm/h
Tomorrow 9:00 am
Wetter-Symbol
4° | 4°°C 0 mm 0% 13 mph 67 % 1028 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€95,053.74
1.18%
Ethereum(ETH)
€2,740.67
2.93%
XRP(XRP)
€2.36
-2.27%
Fesseln(USDT)
€0.96
-0.01%
Solana(SOL)
€194.81
-0.88%
USDC(USDC)
€0.96
0.00%
Dogecoin(DOGE)
€0.254347
-0.29%
Shiba Inu(SHIB)
€0.000015
-0.71%
Pepe(PEPE)
€0.000010
-0.40%
Nach oben scrollen