If you haven’t upgraded to version 1.3.0 of Apache HugeGraph, now is the time. At least two proof-of-concept (POC) exploits for a CVSS 9.8-rated remote command execution (RCE) vulnerability in the open-source graph database have been made public.
Apache HugeGraph is widely used by developers to build applications based on graph databases, commonly in Java 8 and Java 11 environments.
In late April, the Apache Software Foundation disclosed a critical vulnerability, identified as CVE-2024-27348, in versions of HugeGraph-Server before the 1.3.0 release. The exploit code for this vulnerability is now available on GitHub.
The CVE-2024-27348 flaw can be exploited to bypass sandbox restrictions and achieve remote code execution by using specially crafted Gremlin commands that take advantage of missing reflection filtering in the SecurityManager.
SecureLayer7, a penetration testing firm, has provided a detailed analysis of the CVE, emphasizing the urgency for administrators to address this issue. If exploited, the flaw allows attackers to gain complete control over the server, steal confidential data, explore the victim organization’s internal network, deploy ransomware, and conduct other malicious activities.
🚨POC RELEASED🚨Apache HugeGraph Server RCE Scanner (CVE-2024-27348).#DarkWeb #Cybersecurity #Security #Cyberattack #Cybercrime #Privacy #Infosec #CVE202427348 #Vulnerability pic.twitter.com/UmktIwfTKi
— Dark Web Informer (@DarkWebInformer) June 6, 2024
In April, the open-source project urged users to upgrade to version 1.3.0 with Java 11 and enable the Auth system to mitigate the vulnerability. Apache credited “6right” from Chinese cloud security vendor Moresec for discovering and reporting the flaw. Additionally, project maintainers recommended enabling the “Whitelist-IP/port” function to enhance the security of RESTful-API execution.
Two notable POC exploits have been released: one by bug bounty hunter Milan Jovic, which allows unauthenticated users to execute OS commands on vulnerable versions, and another by developer Zeyad Azima, who released a Python scanner intended for ethical use to identify vulnerable HugeGraph implementations.
https://t.co/gw4rm5aXY8 – Apache HugeGraph 1.3.0 fixes critical CVE-2024-27348 vulnerability. Upgrade for Java 8 and 11 users is crucial to prevent remote command execution. #Xynik #CyberSecurity #Java11
— Xynik (@XynikIT) June 7, 2024
Given the widespread use of Apache HugeGraph and the severity of this flaw, it’s crucial to upgrade to the fixed version as soon as possible. The urgency is heightened by the release of these POC exploits, which could be abused by malicious actors.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
