The Apache Software Foundation (ASF) has released patches to address a maximum-level vulnerability in the MINA A Java network application framework that can lead to remote code execution under certain conditions.
Tracked as CVE-2024-52046the vulnerability has a CVSS score of 10.0. This affects versions 2.0.X, 2.1.X, and 2.2.X.
“The ObjectSerializationDecoder in Apache MINA uses Java’s own deserialization protocol to handle incoming serialized data, but it lacks the necessary security checks and safeguards,” project staff said in a recommendation published on December 25, 2024.
“This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, which could lead to Remote Code Execution (RCE) attacks.”
However, it should be noted that this vulnerability can only be exploited when the “IoBuffer#getObject()” method is called in conjunction with certain classes such as ProtocolCodecFilter and ObjectSerializationCodecFactory.
“The update won’t be enough: you also need to explicitly allow the classes that the decoder will accept in the ObjectSerializationDecoder instance using one of the three new methods,” Apache said.
The disclosure comes a few days after ASF patched numerous flaws affecting Tomcat (CVE-2024-56337), traffic control (CVE-2024-45387), and the HugeGraph server (CVE-2024-43441).
Earlier this month, Apache also patched a critical security flaw in the Struts web application framework (CVE-2024-53677), which an attacker can use for remote code execution. Since then, active exploitation attempts have been detected.
Users of these products are strongly advised to update their installations to the latest versions as soon as possible to protect against potential threats.
