CyberSecurity news
FlagThis - #apache
|
alinskens@sonatype.com (Aaron Linskens)@2024 Sonatype Blog - 77d
Multiple critical vulnerabilities have been discovered in Apache Struts2 and Tomcat, including a path traversal vulnerability in Struts2 (CVE-2024-53677) that can lead to remote code execution, and two vulnerabilities in Apache Tomcat (CVE-2024-50379 and CVE-2024-54677) that can cause remote code execution and denial of service respectively. These vulnerabilities stem from issues like Time-of-check Time-of-use (TOCTOU) race conditions during JSP compilation in Tomcat and the ability to upload files into restricted directories in Struts2, allowing attackers to potentially compromise affected systems. Users are urged to apply the available patches immediately.
Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News - 68d
The Apache Software Foundation has issued critical security updates to address severe vulnerabilities affecting several of its products, including MINA, HugeGraph-Server, and Traffic Control. These updates are crucial as the identified flaws could potentially allow attackers to compromise systems. Specifically, a SQL Injection vulnerability was discovered in Apache Traffic Control.
Security teams are being urged to immediately patch the 9.9 severity vulnerability within the web content distribution platform. The identified issues highlight a serious risk of exploitation, and it is essential that organizations using these Apache products prioritize applying the latest security updates to protect their systems from potential cyber attacks. The release of these security fixes underscores the continuous need for vigilance in maintaining secure software infrastructures. Recommended read:
References :
Lisa Haas@Security Boulevard - 74d
A critical security vulnerability, identified as CVE-2024-50379, has been disclosed in the Apache Tomcat web server. This flaw exposes the platform to remote code execution (RCE) due to a Time-of-Check to Time-of-Use (TOCTOU) race condition during JSP compilation. The vulnerability stems from a timing issue where Tomcat checks if a JSP file is safe to compile, but a small window exists for an attacker to modify the file before it is actually used. This allows malicious JSP files to be uploaded and executed on the server if certain conditions are met.
The vulnerability is specifically exploitable on case-insensitive file systems, such as Windows, and if the default servlet is configured to allow write operations. An attacker could take advantage of this by quickly uploading a malicious JSP file with a different case before it’s compiled by Tomcat, thus executing the malicious code. Patches for this vulnerability are available in Apache Tomcat versions 11.0.2, 10.1.34, and 9.0.98 and later. Users of affected versions are urged to upgrade to these versions to mitigate this risk. The vulnerability has a severity rating of 9.8, highlighting the critical nature of the issue. Recommended read:
References :
do son@Cybersecurity News - 82d
Apache Superset, a popular open-source data visualization platform, has been patched to address multiple critical security vulnerabilities. These flaws included SQL injection vulnerabilities, allowing attackers to execute malicious SQL queries and potentially access sensitive data, and improper authorization issues, enabling lower-privileged users to create new roles and escalate their privileges when the FAB_ADD_SECURITY_API was enabled. The vulnerabilities were identified in versions prior to 4.1.0 and affect both API endpoints and PostgreSQL functions. Researchers discovered that inadequate query validation checks allowed bypassing security mechanisms. Specific PostgreSQL functions like `query_to_xml`, `query_to_xml_and_xmlschema`, `table_to_xml`, and `table_to_xml_and_xmlschema` were found to be particularly exploitable.
The Apache Software Foundation has released Apache Superset 4.1.0 to address these vulnerabilities, specifically CVE-2024-53947 (SQL injection), CVE-2024-53948 (metadata exposure), and CVE-2024-53949 (authorization bypass). The update includes comprehensive patches and users are urged to upgrade immediately. As a temporary mitigation for CVE-2024-53947, users can manually add the vulnerable PostgreSQL functions to the `DISALLOWED_SQL_FUNCTIONS` configuration setting. For CVE-2024-53949, disabling the `FAB_ADD_SECURITY_API` is recommended if not strictly necessary. The release notes emphasize the importance of this update to protect sensitive data and prevent unauthorized access. Recommended read:
References :
Ashish Khaitan@The Cyber Express - 66d
Multiple critical vulnerabilities have been identified in several Apache software products, posing significant risks to users. The Cyber Security Agency of Singapore has issued alerts regarding these flaws, urging immediate updates. CVE-2024-43441 affects Apache HugeGraph-Server, allowing for authentication bypass, potentially granting unauthorized access to systems. Another critical issue, CVE-2024-45387, has been discovered in Apache Traffic Control and is a SQL injection vulnerability that can be exploited by privileged users to execute arbitrary SQL commands, risking data manipulation or exfiltration.
Apache MINA is also affected by CVE-2024-52046 which allows remote code execution through deserialization flaws. It is crucial that users apply security patches promptly. For Apache MINA, additional configuration is required to restrict class deserialization further mitigating the risk. Furthermore, a high-risk vulnerability, CVE-2024-56512, has been found in Apache NiFi, a data processing and distribution system, which can expose sensitive information to unauthorized users, especially if using component-based authorization policies. A patch for NiFi has been issued in version 2.1.0, users should upgrade immediately. Recommended read:
References :
@securityonline.info - 25d
References:
buherator's timeline
, Open Source Security
,
Multiple critical vulnerabilities have been discovered in Apache Cassandra, raising concerns about unauthorized access, privilege escalation, and potential theft of JMX credentials. These flaws, identified as CVE-2024-27137, CVE-2025-24860, and CVE-2025-23015, impact a wide range of Cassandra versions, potentially exposing sensitive data to malicious actors. Organizations relying on the open-source NoSQL database are urged to take immediate action.
The most alarming vulnerability, CVE-2025-24860, allows attackers to bypass network authorization controls. Specifically, it affects the CassandraNetworkAuthorizer and CassandraCIDRAuthorizer, granting unauthorized access to different network regions. This issue impacts Apache Cassandra versions 4.0.0 through 4.0.15, 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Users with restricted data center access can even escalate their own permissions through Data Control Language (DCL) statements on affected versions. Operators are advised to review data access rules and upgrade to versions 4.0.16, 4.1.8, 5.0.3, which address the issue. Recommended read:
References :
|