POC exploit code published for critical Apache HugeGraph bug

Summary: This content discusses the disclosure of a critical vulnerability in Apache HugeGraph, an open-source graph database, and the availability of proof-of-concept exploits for remote command execution.

Threat Actor: N/A

Victim: N/A

Key Point :

  • Apache HugeGraph version 1.0.0 before April’s 1.3.0 release is affected by a critical vulnerability (CVE-2024-27348) that allows bypassing sandbox restrictions and achieving remote code execution.
  • Proof-of-concept exploits for this vulnerability have been made public on GitHub, increasing the risk of attacks targeting vulnerable systems.
  • Penetration testing company SecureLayer7 has provided a detailed analysis of the vulnerability, emphasizing the importance of promptly patching the affected software.

If you haven’t yet upgraded to version 1.3.0 of Apache HugeGraph, now’s a good time because at least two proof-of-concept exploits for a CVSS 9.8-rated remote command execution bug in the open-source graph database have been made public.

Apache HugeGraph lets developers build applications based on graph databases and is commonly used in Java 8 and Java 11 environments. In late April, the Apache Software Foundation disclosed a critical vulnerability, tracked as CVE-2024-27348, in versions of HugeGraph-Server 1.0.0 before April’s 1.3.0 release. Now exploit code to find and crack such systems is on GitHub.

The issue, CVE-2024-27348, can be abused to bypass sandbox restrictions, and achieve remote code execution using specially crafted Gremlin commands that exploit missing reflection filtering in the SecurityManager.

There’s a much detailed analysis of the CVE from penetration testing outfit SecureLayer7 warning that admins really need to fix this.

If exploited, the flaw ultimately gives the attacker complete control over the server and allows them to steal confidential data, snoop around the victim organization’s internal network, deploy ransomware, or perform any other number of evil deeds.

In disclosing the bug back in April, the open source project urged users to upgrade to version 1.3.0 with Java11 and enable the Auth system to fix the flaw. Apache credited someone named “6right” from Chinese cloud security vendor Moresec with finding and reporting the flaw.

“Also you could enable the “Whitelist-IP/port” function to improve the security of RESTful-API execution,” project maintainers said at the time.

Hopefully, users have already updated to a fixed version. But if you haven’t, there’s no time like now — before miscreants start abusing POC exploit code.

One POC exploit, contributed by bug bounty hunter Milan Jovic, allows unauthenticated users to execute OS commands on vulnerable versions.

Another exploit developer, Zeyad Azima, has released a Python scanner, which, while intended to be used for ethical purposes only, will make it easier for anyone to find vulnerable HugeGraph implementations.

Considering the widely used nature of the open source project, and the severity of the flaw, we’d suggested upgrading to a fixed version ASAP. ®

Source: https://www.theregister.com/2024/06/07/poc_apache_hugegraph


“An interesting youtube video that may be related to the article above”