The Apache Software Foundation has issued critical security updates for its MINA Java network application framework, addressing a severe vulnerability (CVE-2024-52046) with a maximum CVSS score of 10.0. The flaw affects versions 2.0.X, 2.1.X, and 2.2.X of the framework.
The vulnerability stems from the ObjectSerializationDecoder component, which processes incoming serialized data without proper security checks. This oversight could potentially allow attackers to execute malicious code remotely by sending specially crafted data.
Key Points:
– Exploitation is only possible when IoBuffer#getObject() method is used alongside ProtocolCodecFilter and ObjectSerializationCodecFactory
– Users must explicitly configure allowed classes in the ObjectSerializationDecoder instance after upgrading
– The patch release coincides with fixes for other Apache products including Tomcat (CVE-2024-56337), Traffic Control (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441)
– A recent critical vulnerability in Apache Struts (CVE-2024-53677) has already seen active exploitation attempts
Users are urged to update their installations immediately to the latest versions to mitigate these security risks.