Apache Traffic Control: Critical Vulnerability Found

26 Dec 2024 11:54 am GMT+0000 Date Time

Apache Software Foundation Releases Safety Updates to Fix Critical Vulnerability in Apache Traffic Control System
Apache Software Foundation released safety updates to eliminate a critical vulnerability in the TRAFIC system Ontrol. The discovered disadvantage received the highest possible hazard rating – 9.9 points out of 10 possible on the CVSS scale. The vulnerability, identified as cve-2024-45387, allows attackers to perform arbitrary SQL commands in the database. The issue impacts Apache Traffic Control versions 8.0.1 and below. Developers state that to exploit the vulnerability, the attacker needs privileged rights to access with roles such as “Admin”, “Federation”, “Operations”, “Portal”, or “Steering”. The attacker can carry out an attack by sending a specially crafted PUT request. Apache Traffic Control is an open implementation of a content delivery network (CDN). In June 2018, the system was granted top-level status under the Apache Software Foundation. The vulnerability was discovered by Security Specialist Yuan Luo from the Tencent Security Laboratory. Users are advised to update Apache Traffic Control to version 8.0.2 to protect against potential attacks. In addition to fixing the Apache Traffic Control vulnerability, the Apache Foundation also addressed a vulnerability in authentication by Apache Hugegraph-Server (cve-2024-434441), affecting versions 1.0 to 1.3. The fix was released in version 1.5.0. Furthermore, developers recently released a patch for a critical vulnerability in Apache Tomcat (cve-2024-5637) that, under specific conditions, could lead to remote code execution.

Apache Software Foundation Releases Safety Updates to Fix Critical Vulnerability in Apache Traffic Control System

Apache Software Foundation released safety updates to eliminate a critical vulnerability in the TRAFIC system Ontrol. The discovered disadvantage received the highest possible hazard rating – 9.9 points out of 10 possible on the CVSS scale.

The vulnerability, identified as cve-2024-45387, allows attackers to perform arbitrary SQL commands in the database. The issue impacts Apache Traffic Control versions 8.0.1 and below.

Developers state that to exploit the vulnerability, the attacker needs privileged rights to access with roles such as “Admin”, “Federation”, “Operations”, “Portal”, or “Steering”. The attacker can carry out an attack by sending a specially crafted PUT request.

Apache Traffic Control is an open implementation of a content delivery network (CDN). In June 2018, the system was granted top-level status under the Apache Software Foundation.

The vulnerability was discovered by Security Specialist Yuan Luo from the Tencent Security Laboratory. Users are advised to update Apache Traffic Control to version 8.0.2 to protect against potential attacks.

In addition to fixing the Apache Traffic Control vulnerability, the Apache Foundation also addressed a vulnerability in authentication by Apache Hugegraph-Server (cve-2024-434441), affecting versions 1.0 to 1.3. The fix was released in version 1.5.0. Furthermore, developers recently released a patch for a critical vulnerability in Apache Tomcat (cve-2024-5637) that, under specific conditions, could lead to remote code execution.

/Reports, release notes, official announcements.