CyberSecurity news

FlagThis - #apache

@nvd.nist.gov //

Critical Vulnerability in Apache Traffic Server Enables DoS Attacks - A critical vulnerability (CVE-2025-49763) in Apache Traffic Server allows attackers to exhaust server memory via recursive ESI requests, leading to denial-of-service attacks.
A critical security vulnerability, CVE-2025-49763, has been identified in Apache Traffic Server (ATS). This flaw, discovered by Imperva's Offensive Security Team, resides within the ESI plugin of ATS and can be exploited by remote, unauthenticated attackers to trigger denial-of-service (DoS) attacks. The vulnerability stems from the potential for attackers to initiate an "avalanche" of internal ESI requests, leading to the exhaustion of server memory. The CVSS v3.1 score is estimated at 7.5, classifying it as a high-severity issue.

The memory exhaustion vulnerability allows malicious actors to potentially crash proxy nodes within the Apache Traffic Server infrastructure. To mitigate the risk posed by CVE-2025-49763, security experts advise upgrading ATS to the latest version and carefully configuring Access Control List (ACL) settings. Specifically, administrators should define limits for the ESI plugin to prevent excessive resource consumption by unauthorized requests.

In addition to this vulnerability (CVE-2025-49763), another CVE, CVE-2025-31698, was recently published, concerning ACL misconfigurations in Apache Traffic Server. This highlights the need for diligent security practices. Users of Apache Traffic Server versions 10.0.0 through 10.0.6 and 9.0.0 through 9.2.10 are advised to upgrade to versions 9.2.11 or 10.0.6 to address the ACL issue. A new setting, proxy.config.acl.subjects, allows administrators to specify which IP addresses to use for ACL checks when ATS is configured to accept PROXY protocol.

Recommended read:
References :
  • thecyberexpress.com: This article provides detailed information on the vulnerability, its impact, and mitigation strategies.
  • Blog: CVE-2025-49763 – Remote DoS via Memory Exhaustion in Apache Traffic Server via ESI Plugin
  • Tenable Blog: This article discusses various cybersecurity topics, including the Apache Traffic Server vulnerability CVE-2025-49763.
  • www.imperva.com: Remote attackers can trigger an avalanche of internal ESI requests, exhausting memory and causing denial-of-service in Apache Traffic Server.
@securityonline.info //

Apache Parquet Java Flaw Exposes Systems To RCE - A critical vulnerability, CVE-2025-46762, has been identified in Apache Parquet Java, which could lead to remote code execution (RCE) attacks via insecure schema parsing.
A critical vulnerability, CVE-2025-46762, has been identified in Apache Parquet Java, a widely used open-source columnar storage format. This flaw exposes systems to potential remote code execution (RCE) attacks through insecure schema parsing in the parquet-avro module. The vulnerability resides in how Avro schemas are deserialized from metadata stored in Parquet files, potentially allowing malicious actors to inject code into the file's metadata. If an application uses parquet-avro to read Parquet files and employs the specific or reflective Avro deserialization models, processing an untrusted Parquet file could trigger unauthorized code execution during schema parsing.

The vulnerability impacts all versions of Apache Parquet Java up to and including 1.15.1, where schema parsing in the parquet-avro module allows bad actors to execute arbitrary code. While version 1.15.1 introduced restrictions on untrusted packages, the default list of trusted packages remained permissive, possibly enabling attackers to exploit the vulnerability using classes from whitelisted packages. Exploitability is contingent upon specific usage patterns, primarily when applications use parquet-avro, employ the specific or reflective Avro deserialization models, and process untrusted or user-supplied Parquet files.

To mitigate this serious threat, Apache recommends upgrading to version 1.15.2, which includes hardened default settings to prevent execution from trusted but potentially dangerous packages. Users on version 1.15.1 can explicitly set the system property org.apache. Although this vulnerability is not exploitable by default, the potential for RCE makes it a high-priority concern for organizations utilizing Apache Parquet in data-intensive applications and analytics pipelines, especially those dealing with untrusted data sources.

Recommended read:
References :
  • securityonline.info: CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema
  • securityonline.info: CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema
  • thecyberexpress.com: Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks
  • F5 Labs All: Canary Exploit tool for CVE-2025-30065 Apache Parquet Avro Vulnerability
  • BleepingComputer: Apache Parquet exploit tool detect servers vulnerable to critical flaw
  • The DefendOps Diaries: TheDefendOpsDiaries about Apache Parquet
  • securityaffairs.com: Canary Exploit tool allows to find servers affected by Apache Parquet flaw
  • Security Risk Advisors: CVE-2025-30065 – Critical Vulnerability in Apache Parquet Enables Arbitrary Class Instantiation via Malicious Avro Files
CISA@All CISA Advisories //

CISA Warns of Actively Exploited Apache, SonicWall Flaws - CISA added CVE-2024-38475 in Apache HTTP Server and CVE-2023-44221 in SonicWall SMA100 series to its catalog of known exploited vulnerabilities.
CISA has added two new vulnerabilities, CVE-2024-38475 and CVE-2023-44221, to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities affect Apache HTTP Server and SonicWall SMA100 series appliances, posing significant risks to organizations that utilize these technologies. The agency is urging organizations to take immediate action to mitigate potential exploits. The addition to the KEV catalog highlights the active exploitation of these flaws in the wild, increasing the urgency for patching and remediation.

The vulnerabilities impacting SonicWall SMA 100 devices are particularly concerning due to the potential for complete system takeover and session hijacking. Cybersecurity researchers at watchTowr have discovered that malicious actors are actively combining these vulnerabilities. CVE-2024-38475, an Apache HTTP pre-authentication arbitrary file read vulnerability discovered by Orange Tsai, allows unauthorized file reading. CVE-2023-44221, a post-authentication command injection flaw discovered by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd, enables attackers to execute arbitrary commands on affected systems.

The combination of these two vulnerabilities allows attackers to extract sensitive information, such as administrator session tokens, effectively bypassing login credentials. Once this initial foothold is established, the command injection vulnerability can be exploited to execute arbitrary commands, potentially leading to session hijacking and full system compromise. The vulnerabilities affect SMA 100 series appliances, including models SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. watchTowr has warned of active exploitation of these vulnerabilities, urging organizations to apply available patches to secure their systems.

Recommended read:
References :
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • thecyberexpress.com: CISA Adds Two New Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • thecyberexpress.com: CISA Adds Two New Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
@securityonline.info //

Critical Apache Roller Flaw Allows Unauthorized Session Persistence - A critical vulnerability (CVE-2025-24859) in Apache Roller allows attackers to retain unauthorized access even after password changes due to a session management issue; users are advised to upgrade to version 6.1.5.
A critical security vulnerability has been discovered in Apache Roller, a Java-based blogging server software. The flaw, identified as CVE-2025-24859 and carrying a maximum severity CVSS score of 10.0, allows attackers to retain unauthorized access even after a user changes their password. This session management issue affects Apache Roller versions up to and including 6.1.4, potentially exposing blogs to unauthorized actions and undermining the security measures intended by password changes.

The vulnerability stems from the failure to properly invalidate active user sessions when a password is changed, either by the user or an administrator. This means that an attacker who has compromised a user's credentials could maintain continued access through an old session, even after the user has taken steps to secure their account by changing their password. This poses a significant risk, as it could enable unauthorized individuals to access and manipulate blog content, potentially leading to data breaches or other malicious activities.

To address this critical flaw, Apache Roller version 6.1.5 has been released with a fix that implements centralized session management. This ensures that all active sessions are invalidated when passwords are changed or users are disabled, effectively preventing attackers from maintaining unauthorized access. Users of Apache Roller are strongly advised to upgrade to version 6.1.5 as soon as possible to mitigate the risk of exploitation and safeguard their blog sites from potential security breaches. The vulnerability was discovered and reported by security researcher Haining Meng.

Recommended read:
References :
  • securityaffairs.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change
  • securityonline.info: CVE-2025-24859 (CVSSv4 10): Apache Roller Flaw Exposes Blogs to Unauthorized Access
  • The Hacker News: Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence
  • bsky.app: 10/10 CVSS in the Apache Roller blogging platform "active user sessions are not properly invalidated after password changes"
  • ciso2ciso.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change – Source: securityaffairs.com
  • lists.apache.org: Apache Roller Fails to Invalidate Sessions on Password Change (CVE-2025-24859)
Pierluigi Paganini@securityaffairs.com //

CISA Adds Apache Tomcat Flaw to Exploited Vulnerabilities - CISA has added an Apache Tomcat path equivalence vulnerability, CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation, urging users to upgrade to the latest secure versions.
CISA has added a new Apache Tomcat vulnerability, identified as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence that the flaw is being actively exploited in the wild, posing a significant risk to organizations utilizing affected versions of Apache Tomcat. The vulnerability is a path equivalence issue within Apache Tomcat.

To mitigate the risk posed by CVE-2025-24813, impacted users are urged to upgrade their Apache Tomcat installations to the latest secure versions. Specifically, upgrades to Apache Tomcat 11.0.3 or later, Apache Tomcat 10.1.35 or later, or Apache Tomcat 9.0.99 or later are recommended. The advisory also includes IPS protection measures to detect and block potential attack attempts targeting this vulnerability affecting the Apache Tomcat web server.

Recommended read:
References :

Posts

Blogs

Research Tools