The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in Apache HugeGraph Server to its catalog of known exploitable vulnerabilities (KEV), indicating that the bug is being actively exploited.
The addition also forces federal agencies to issue a patch before the Oct. 9 deadline or stop using the vulnerable product altogether.
The bug in question is a remote command execution flaw in the Gremlin graph traversal language API. Its severity is 9.8 and it affects all versions of the software prior to 1.3.0. It is tracked as CVE-2024-27348 and was patched months ago – in April.
Four more bugs
In addition to installing the patch, users are also advised to use JAva 11 and enable the Auth system. Furthermore, they should enable the “Whitelist IP/port” feature, as it improves the security of RESTful API execution, it was added.
In mid-July of this year, the Shadowserver Foundation reported that evidence of abuse of the vulnerability had been found. According to the foundation, the PoC code had been public since early June.
“If you use HugeGraph, make sure you update it,” the organization said at the time.
Apache HugeGraph is an open source graph database system, supporting the storage and querying of billions of vertices and edges. Implemented using the Apache TinkerPop3 framework, it is fully compatible with the Gremlin query language, enabling complex graph queries and analysis.
In addition to the RCE vulnerability, CISA has added four other vulnerabilities to the KEV catalog: a remote code execution vulnerability in Microsoft SQL Server Reporting Services (CVE-2020-0618), a vulnerability in Microsoft Windows Task Scheduler Privilege Escalation (CVE-2019-1069), a remote code execution vulnerability in Oracle JDeveloper (CVE-2022-21445), and a remote code execution vulnerability in Oracle WebLogic Server (CVE-2020-14644).
BleepingComputer reports that adding these bugs to the catalog does not necessarily mean that they are currently being exploited. It only means that they were exploited at some point in the past.
Via BleepingComputer
