The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions.
Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. It affects versions 2.0.X, 2.1.X, and 2.2.X.
“The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses,” the project maintainers said in an advisory released on December 25, 2024.
“This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.”
However, it bears noting that the vulnerability is exploitable only if the “IoBuffer#getObject()” method is invoked in combination with certain classes such as ProtocolCodecFilter and ObjectSerializationCodecFactory.
“Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods,” Apache said.
The disclosure comes days after the ASF remediated multiple flaws spanning Tomcat (CVE-2024-56337), Traffic Control (CVE-2024-45387), and HugeGraph-Server (CVE-2024-43441).
Earlier this month, Apache also fixed a critical security flaw in the Struts web application framework (CVE-2024-53677) that an attacker could abuse to obtain remote code execution. Active exploitation attempts have since been detected.
Users of these products are strongly advised to update their installations to the latest versions as soon as possible to safeguard against potential threats.