Apache Product Security Update Advisory
Overview
We have released a security update to address a vulnerability in Apache products. Users of affected products are advised to update to the latest version.
Affected Products
CVE-2024-45387
- Apache Traffic Control Versions: 8.0.0 (inclusive) ~ 8.0.1 (inclusive)
CVE-2024-52046
- Apache MINA Versions: 2.0 (inclusive) ~ 2.0.26 (inclusive)
- Apache MINA versions: 2.1 (inclusive) ~ 2.1.9 (inclusive)
- Apache MINA versions: 2.2 (inclusive) ~ 2.2.3 (inclusive)
CVE-2024-56337
- Apache Tomcat Versions: 11.0.0-M1 (inclusive) ~ 11.0.1 (inclusive)
- Apache Tomcat Versions: 10.1.0-M1 (inclusive) ~ 10.1.33 (inclusive)
- Apache Tomcat Versions: 9.0.0-M1 (inclusive) ~ 9.0.97 (inclusive)
Resolved Vulnerabilities
SQL injection vulnerability in Apache Traffic Control (CVE-2024-45387)
Code injection vulnerability in Apache MINA (CVE-2024-52046)
Remote code execution vulnerability in Apache Tomcat (CVE-2024-56337)
Vulnerability Patches
Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-45387
- Apache Traffic Control Version: 8.0.2
CVE-2024-52046
- Apache MINA Version: 2.0.27
- Apache MINA version: 2.1.10
- Apache MINA version: 2.2.4
CVE-2024-56337
- Apache Tomcat version: 11.0.2 or later
- Apache Tomcat version: 10.1.34 or later
- Apache Tomcat Version: 9.0.98 or later
References
[1] CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments
https://lists.apache.org/thread/t38nk5n7t8w3pb66z7z4pqfzt4443trr
[2] CVE-2024-52046: Apache MINA: MINA applications using unbounded deserialization may allow RCE
https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
[3] [SECURITY] CVE-2024-56337 Apache Tomcat – RCE via write-enabled default servlet – CVE-2024-50379 mitigation was incomplete
https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp