Critical Security Vulnerabilities Identified in Apache HugeGraph-Server and Tomcat

Recent disclosures have unveiled two significant vulnerabilities affecting widely used software platforms: Apache HugeGraph-Server and Apache Tomcat. These vulnerabilities, CVE-2024-43441 and CVE-2024-56337, pose severe risks to organizations relying on these tools for data management and web application hosting. Here, we delve into the details of these issues and provide actionable recommendations for mitigation.

CVE-2024-43441: Authentication Bypass in Apache HugeGraph-Server

Apache HugeGraph-Server, a powerful open-source graph database system, is central to many applications requiring intricate data relationships and queries. A recently identified vulnerability, CVE-2024-43441, exposes versions 1.0 to 1.3 of the software (before 1.5.0) to significant risks. This flaw is classified as an authentication bypass by assumed-immutable data vulnerability and has been rated critical.

Key Details:

• Affected Versions: Apache HugeGraph-Server 1.0 to 1.3
• Severity: Important
• Issue: Improper handling of authentication mechanisms allows attackers to bypass authentication by exploiting assumed immutable data structures.

Potential Impact: Exploiting this vulnerability can grant unauthorized access to sensitive server resources and functionalities, paving the way for data breaches and system compromises. This is particularly concerning for enterprises in sectors such as finance and healthcare, where sensitive data is prevalent.

Mitigation Steps:

1. Upgrade to Version 1.5.0: The Apache Software Foundation has addressed this issue in version 1.5.0. Immediate upgrading is crucial to safeguard systems.
2. Implement Access Controls: Enforce strict access controls to minimize unauthorized entry points.
3. Regular Security Reviews: Periodically review and update authentication mechanisms to maintain robustness.
4. Monitor Logs: Monitor server logs for unusual activity that might indicate exploitation attempts.

While there are no reports of active exploitation in the wild, public disclosure of vulnerabilities often accelerates threat actors’ attempts to develop exploits.

CVE-2024-56337: Incomplete Mitigation in Apache Tomcat

Another critical vulnerability, CVE-2024-56337, has been identified in Apache Tomcat. It is described as an incomplete mitigation for CVE-2024-50379, a previously disclosed flaw with a CVSS score of 9.8. Both vulnerabilities are classified as Time-of-check Time-of-use (TOCTOU) race condition issues and could lead to remote code execution.

Key Details:

• Affected Versions:
  • Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)
  • Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)
  • Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)
• Severity: Critical
• Issue: Concurrent read and upload operations under load can bypass Tomcat’s case sensitivity checks. Uploaded files could be treated as JSPs, leading to remote code execution.

Mitigation Steps:

1. Upgrade to Patched Versions: Ensure systems are running:
   • Apache Tomcat 11.0.2 or later
   • Apache Tomcat 10.1.34 or later
   • Apache Tomcat 9.0.98 or later
2. Java-Specific Configurations:
   • For Java 8 or Java 11: Explicitly set the system property sun.io.useCanonCaches to false (default is true).
   • For Java 17: Ensure sun.io.useCanonCaches is set to false if manually configured.
   • For Java 21 and later: No action is required as the property has been removed.
3. Disable Default Servlet Write Access: Configure the servlet’s read-only initialization parameter to true to prevent unauthorized write operations.

Broader Implications and Lessons Learned

Zero Day Initiative (ZDI) Observations: Similar critical disclosures, such as CVE-2024-12828 in Webmin, underscore the urgency of addressing such vulnerabilities. This flaw allows authenticated remote attackers to execute arbitrary code due to improper validation of user-supplied strings.

Insights from Apache Vulnerabilities:

1. Proactive Patching: Organizations must prioritize timely updates for critical software to mitigate risks effectively.
2. Holistic Security Posture: Implementing layered security measures, such as firewalls, intrusion detection systems, and regular audits, can significantly reduce the attack surface.
3. Community Collaboration: Security researchers and organizations are pivotal in identifying, reporting, and mitigating vulnerabilities. Apache credited individuals and teams, including KnownSec 404, for reporting these flaws.

Conclusion

The vulnerabilities in Apache HugeGraph-Server and Apache Tomcat highlight the importance of vigilance in software security. Enterprises must adopt a proactive approach by staying informed, applying patches promptly, and implementing comprehensive security measures. With sensitive data and critical systems at stake, addressing these vulnerabilities is not merely an option but a necessity.

Organizations using these tools should immediately mitigate risks and ensure their systems remain resilient against evolving threats. As the cybersecurity landscape grows increasingly complex, collaboration and vigilance are key to maintaining secure and reliable IT infrastructure.

For more:

https://cybersecuritynews.com/apache-hugegraph-server-vulnerability/

https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html