In a significant effort to address a critical security flaw, the Apache Software Foundation (ASF) has released a patch for a vulnerability in Apache Traffic Control, an open-source Content Delivery Network (CDN) project. This vulnerability, identified as CVE-2024-45387, has been assigned an alarming severity score of 9.9 out of 10 on the Common Vulnerability Scoring System (CVSS). The flaw allows a privileged user with roles such as ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering’ to execute arbitrary SQL commands in the database through a specially crafted PUT request. The discovery was made by Yuan Luo from Tencent YunDing Security Lab, prompting a response from ASF to mitigate the risk.
In response to the identified threat, ASF promptly issued a patch included in the updated version 8.0.2 of Apache Traffic Control. The swift action was crucial to secure the framework against potential malicious exploitation. The nature of the flaw enables those with specific roles more control than intended, compromising the database’s integrity. Such a severe vulnerability underscores the importance of maintaining updated software systems and vigilant security practices within organizations relying on Apache Traffic Control for their content delivery needs. The update to version 8.0.2 is strongly advised for all users to safeguard their systems effectively.
Alongside the fix for Apache Traffic Control, ASF has recently addressed other critical security issues within its ecosystem. This includes an authentication bypass flaw in Apache HugeGraph-Server, identified as CVE-2024-43441 and resolved in version 1.5.0. Additionally, a remote code execution vulnerability found in Apache Tomcat, CVE-2024-56337, has been rectified. These updates reflect ASF’s ongoing commitment to enhancing the security and resilience of its software offerings.
Users are urged to swiftly upgrade their Apache Traffic Control installations to the latest version 8.0.2, ensure Apache HugeGraph-Server is updated to version 1.5.0, and verify their Apache Tomcat installations are current. The persistent emergence of security vulnerabilities highlights the necessity for continuous vigilance and timely software updates to protect against evolving cybersecurity threats. Proactive measures and attention to security advisories are essential in maintaining robust defenses against potential exploits.