Plattform
java
Komponente
org.apache.inlong:tubemq-core
Behoben in
1.12.1
1.13.0
CVE-2024-36268 describes a Code Injection vulnerability within Apache InLong, potentially leading to Remote Code Execution. This flaw impacts versions 1.10.0 through 1.12.0. A fix is available in version 1.13.0, and users are strongly encouraged to upgrade immediately.
The Code Injection vulnerability in Apache InLong allows an attacker to inject malicious code into the system. Successful exploitation could lead to complete system compromise, including data exfiltration, modification, and denial of service. The attacker could potentially gain control of the InLong cluster and leverage it for further attacks within the network. While no specific real-world exploits have been publicly linked to this vulnerability yet, the potential for RCE makes it a high-priority concern, especially given the complexity of distributed messaging systems like InLong.
CVE-2024-36268 was publicly disclosed on August 2, 2024. Its severity is rated HIGH with a CVSS score of 7.6. There are currently no known active campaigns exploiting this vulnerability, but the availability of a public proof-of-concept could change this rapidly. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Apache InLong for data streaming and messaging, particularly those running versions 1.10.0 through 1.12.0, are at risk. This includes companies relying on InLong for real-time data pipelines, event-driven architectures, and integration with other systems. Shared hosting environments where InLong instances are deployed alongside other applications should be especially vigilant.
• linux / server:
journalctl -u tubemq-core -f | grep -i "injection"• java / supply-chain: Inspect InLong configuration files for any user-supplied data that is directly incorporated into code execution paths. • generic web: Monitor InLong's access logs for unusual patterns or requests that attempt to inject code.
disclosure
Exploit-Status
EPSS
6.79% (91% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-36268 is to upgrade Apache InLong to version 1.13.0 or later. If immediate upgrading is not feasible, a temporary workaround involves rigorous code review of any user-supplied input to InLong, ensuring proper sanitization and validation to prevent code injection. Implementing strict input validation rules and limiting user privileges can also reduce the attack surface. Monitor InLong logs for any unusual activity or suspicious code execution attempts. The fix is available in the official GitHub pull request: https://github.com/apache/inlong/pull/10251. After upgrading, confirm the fix by attempting to trigger the vulnerable code path with malicious input and verifying that it is properly sanitized.
Actualice Apache InLong a la versión 1.13.0 o aplique el parche proporcionado en https://github.com/apache/inlong/pull/10251. Esto corrige la vulnerabilidad de inyección de código que permite la ejecución remota de código. Se recomienda actualizar lo antes posible para evitar posibles ataques.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-36268 is a Code Injection vulnerability affecting Apache InLong versions 1.10.0 through 1.12.0, allowing potential Remote Code Execution.
If you are using Apache InLong versions 1.10.0 to 1.12.0, you are potentially affected by this vulnerability. Upgrade to 1.13.0 or later to mitigate the risk.
The recommended fix is to upgrade Apache InLong to version 1.13.0 or later. As a temporary workaround, implement strict input validation and code review.
Currently, there are no confirmed reports of active exploitation, but the availability of a public proof-of-concept increases the risk.
Refer to the Apache InLong GitHub repository for updates and advisories: https://github.com/apache/inlong
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.