CVE-2024-45772: Deserialization of Untrusted Data Vulnerability in Apache Lucene Replicator Module

The Common Vulnerabilities and Exposures (CVE) system has assigned the identifier CVE-2024-45772 to a critical vulnerability related to the deserialization of untrusted data found in Apache Lucene Replicator module. This vulnerability is present in the deprecated org.apache.lucene.replicator.http package but not in the org.apache.lucene.replicator.nrt package.

From version 4.4. to 9.11.9 (inclusive).

Vulnerable users are strongly advised to upgrade their systems to version 9.12. or later, which includes the necessary patch to resolve the issue.

Description

Deserialization of untrusted data in the Apache Lucene Replicator module poses significant security risks and can lead to remote code execution, denial of service, or information disclosure attacks. Attackers can exploit vulnerable implementations by sending crafted payloads via a network-accessible client using a custom servlet and HttpClient.

Mitigation

Users who cannot immediately update their systems can temporarily mitigate the issue by applying a Java serialization filter on the command line, such as -Djdk.serialFilter='!*', which blocks deserialization of malicious payloads without impacting functionality.

Code Snippet

Here is an exemplary code snippet from a potentially vulnerable implementation using the affected package:

import org.apache.lucene.replicator.http.HttpClientBase;
import org.apache.lucene.replicator.http.HttpReplicator;

public class CustomClient extends HttpClientBase {
    public static void main(String[] args) {
        HttpReplicator replicator = new HttpReplicator("http://lucene.example.com/";);
        // Further implementation code
    }
}

Original References

- CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45772
- Apache Lucene Security Advisory: https://lucene.apache.org/core/security.html#CVE-2024-45772

Conclusion

The deserialization of untrusted data vulnerability (CVE-2024-45772) found in the Apache Lucene Replicator module is a critical issue and can lead to various attacks if left unaddressed. Users must upgrade their systems to version 9.12. or later, or apply the aforementioned mitigation steps if they are unable to update immediately.

Stay informed, and keep your systems safe and up-to-date!

Timeline

Published on: 09/30/2024 09:15:02 UTC
Last modified on: 12/12/2024 17:15:10 UTC