If you haven't yet upgraded to version 1.3.0 of Apache HugeGraph, now's a good time because at least two proof-of-concept exploits for a CVSS 9.8-rated remote command execution bug in the open-source graph database have been made public.

Apache HugeGraph lets developers build applications based on graph databases and is commonly used in Java 8 and Java 11 environments. In late April, the Apache Software Foundation disclosed a critical vulnerability, tracked as CVE-2024-27348, in versions of HugeGraph-Server 1.0.0 before April’s 1.3.0 release. Now exploit code to find and crack such systems is on GitHub.

The issue, CVE-2024-27348, can be abused to bypass sandbox restrictions, and achieve remote code execution using specially crafted Gremlin commands that exploit missing reflection filtering in the SecurityManager.

There's a much detailed analysis of the CVE from penetration testing outfit SecureLayer7 warning that admins really need to fix this.

If exploited, the flaw ultimately gives the attacker complete control over the server and allows them to steal confidential data, snoop around the victim organization's internal network, deploy ransomware, or perform any other number of evil deeds.

In disclosing the bug back in April, the open source project urged users to upgrade to version 1.3.0 with Java11 and enable the Auth system to fix the flaw. Apache credited someone named “6right” from Chinese cloud security vendor Moresec with finding and reporting the flaw.

"Also you could enable the "Whitelist-IP/port" function to improve the security of RESTful-API execution," project maintainers said at the time.

Hopefully, users have already updated to a fixed version. But if you haven't, there's no time like now - before miscreants start abusing POC exploit code.

One POC exploit, contributed by bug bounty hunter Milan Jovic, allows unauthenticated users to execute OS commands on vulnerable versions.

Another exploit developer, Zeyad Azima, has released a Python scanner, which, while intended to be used for ethical purposes only, will make it easier for anyone to find vulnerable HugeGraph implementations.

Considering the widely used nature of the open source project, and the severity of the flaw, we'd suggested upgrading to a fixed version ASAP. ®

https://www.theregister.com//2024/06/07/poc_apache_hugegraph/