Remote Code Execution Risk in Apache MINA ObjectSerializationDecoder
CVE-2024-52046
Key Information
- Vendor
- Apache
- Status
- Apache Mina
- Vendor
- CVE Published:
- 25 December 2024
Badges
Summary
The ObjectSerializationDecoder in Apache MINA is vulnerable due to its reliance on Java's native deserialization without implementing proper security measures. This flaw allows attackers to exploit the deserialization process by sending specially crafted data, which may result in remote code execution on the affected systems. The vulnerability impacts MINA core versions 2.0.X, 2.1.X, and 2.2.X, necessitating upgrades to the patched versions: 2.0.27, 2.1.10, and 2.2.4. Applications utilizing the IoBuffer#getObject() method and employing ProtocolCodecFilter with ObjectSerializationCodecFactory are particularly at risk. To safeguard against this vulnerability, developers must not only update the MINA library but also configure the ObjectSerializationDecoder to explicitly permit the deserialization of specific class names and patterns. By default, the decoder rejects all class types present in incoming serialized data, thereby providing a layer of security when correctly configured.
Affected Version(s)
Apache MINA <= 2.1.9
Apache MINA <= 2.2.3
News Articles
The Hacker NewsCVE-2024-52046Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization
Critical Apache MINA flaw CVE-2024-52046 with CVSS 10.0 enables RCE via serialization flaws. Patch required.
5 hours ago
References
CVSS V4
Timeline
- π°
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved