Critical SQL Injection Vulnerability Fixed in Apache Traffic Control
2024-12-26
Learn about the critical vulnerabilities in popular Apache open-source projects and the importance of proactive patch management to protect cloud environments.
The Apache Software Foundation has released updates to fix a critical SQL injection vulnerability in Apache Traffic Control, which could allow privileged users to execute arbitrary SQL commands. This vulnerability affects versions 8.0.0 to 8.0.1 and has been resolved in version 8.0.2. Apache Traffic Control is an open-source CDN solution. The issue was identified by a researcher from Tencent YunDing Security Lab. Concurrently, the ASF has also addressed other vulnerabilities, including an authentication bypass in Apache HugeGraph-Server and a remote code execution flaw in Apache Tomcat. Users are advised to update to the latest versions to mitigate these risks.
Patch Management, Over Permissive Roles, Open Source, Web App/Website Vulnerability
Apache Traffic Control, SQL Injection, CVE-2024-45387, Open Source Security, Vulnerability Patch, CDN Security
CVE-2024-45387; CVE-2024-43441; CVE-2024-56337
Apache Traffic Control, Apache HugeGraph-Server, Apache Tomcat
The Apache Software Foundation has issued a crucial security update for Apache Traffic Control, an open-source Content Delivery Network (CDN) solution. This update addresses a critical SQL injection vulnerability that could allow certain privileged users to execute arbitrary SQL commands on the database. The vulnerability is present in versions 8.0.0 through 8.0.1 and has been resolved in version 8.0.2. The vulnerability, identified as CVE-2024-45387, carries a high severity rating of 9.9 out of 10 on the Common Vulnerability Scoring System (CVSS). It is specifically located in the Traffic Ops component of Apache Traffic Control. Users with roles such as 'admin,' 'federation,' 'operations,' 'portal,' or 'steering' could exploit this flaw by sending specially crafted PUT requests to the system, thereby executing arbitrary SQL commands. The vulnerability was discovered by a researcher from Tencent YunDing Security Lab. Thanks to their efforts, the Apache Software Foundation was able to quickly address and patch the issue. In addition to the SQL injection flaw in Apache Traffic Control, the Apache Software Foundation has also patched an authentication bypass vulnerability in Apache HugeGraph-Server (CVE-2024-43441). This vulnerability affected versions 1.0 through 1.3 and has been fixed in version 1.5.0. Moreover, a remote code execution vulnerability in Apache Tomcat (CVE-2024-56337) has been addressed as well. To mitigate the risks associated with these vulnerabilities, users are strongly encouraged to update their software to the latest versions. Ensuring that all systems are up-to-date with the latest security patches is crucial to maintaining a secure environment.Critical Security Update for Apache Traffic Control
Details of the Vulnerability
Discoverer and Acknowledgment
Other Apache Vulnerabilities
Recommended Actions
https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.html?m=1