Plataforma
java
Componente
org.apache.inlong:tubemq-core
Corrigido em
1.12.1
1.13.0
CVE-2024-36268 describes a Code Injection vulnerability within Apache InLong, potentially leading to Remote Code Execution. This flaw impacts versions 1.10.0 through 1.12.0. A fix is available in version 1.13.0, and users are strongly encouraged to upgrade immediately.
The Code Injection vulnerability in Apache InLong allows an attacker to inject malicious code into the system. Successful exploitation could lead to complete system compromise, including data exfiltration, modification, and denial of service. The attacker could potentially gain control of the InLong cluster and leverage it for further attacks within the network. While no specific real-world exploits have been publicly linked to this vulnerability yet, the potential for RCE makes it a high-priority concern, especially given the complexity of distributed messaging systems like InLong.
CVE-2024-36268 was publicly disclosed on August 2, 2024. Its severity is rated HIGH with a CVSS score of 7.6. There are currently no known active campaigns exploiting this vulnerability, but the availability of a public proof-of-concept could change this rapidly. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Apache InLong for data streaming and messaging, particularly those running versions 1.10.0 through 1.12.0, are at risk. This includes companies relying on InLong for real-time data pipelines, event-driven architectures, and integration with other systems. Shared hosting environments where InLong instances are deployed alongside other applications should be especially vigilant.
• linux / server:
journalctl -u tubemq-core -f | grep -i "injection"• java / supply-chain: Inspect InLong configuration files for any user-supplied data that is directly incorporated into code execution paths. • generic web: Monitor InLong's access logs for unusual patterns or requests that attempt to inject code.
disclosure
Status do Exploit
EPSS
6.79% (percentil 91%)
Vetor CVSS
The primary mitigation for CVE-2024-36268 is to upgrade Apache InLong to version 1.13.0 or later. If immediate upgrading is not feasible, a temporary workaround involves rigorous code review of any user-supplied input to InLong, ensuring proper sanitization and validation to prevent code injection. Implementing strict input validation rules and limiting user privileges can also reduce the attack surface. Monitor InLong logs for any unusual activity or suspicious code execution attempts. The fix is available in the official GitHub pull request: https://github.com/apache/inlong/pull/10251. After upgrading, confirm the fix by attempting to trigger the vulnerable code path with malicious input and verifying that it is properly sanitized.
Actualice Apache InLong a la versión 1.13.0 o aplique el parche proporcionado en https://github.com/apache/inlong/pull/10251. Esto corrige la vulnerabilidad de inyección de código que permite la ejecución remota de código. Se recomienda actualizar lo antes posible para evitar posibles ataques.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-36268 is a Code Injection vulnerability affecting Apache InLong versions 1.10.0 through 1.12.0, allowing potential Remote Code Execution.
If you are using Apache InLong versions 1.10.0 to 1.12.0, you are potentially affected by this vulnerability. Upgrade to 1.13.0 or later to mitigate the risk.
The recommended fix is to upgrade Apache InLong to version 1.13.0 or later. As a temporary workaround, implement strict input validation and code review.
Currently, there are no confirmed reports of active exploitation, but the availability of a public proof-of-concept increases the risk.
Refer to the Apache InLong GitHub repository for updates and advisories: https://github.com/apache/inlong
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.