CVE-2024-45387: Apache Traffic Control Flaw Allows Arbitrary Code Execution

The Apache Software Foundation has released security updates to address a critical vulnerability in its Traffic Control system. The flaw, designated CVE-2024-45387, has been assigned the highest severity score of 9.9 out of 10 on the CVSS scale.

This vulnerability allows attackers to execute arbitrary SQL commands in the database. It affects Apache Traffic Control versions 8.0.1 and earlier. According to the developers, exploitation requires privileged access with roles such as admin, federation, operations, portal, or steering. The attack can be carried out through the submission of a specially crafted PUT request.

Apache Traffic Control is an open-source implementation of a content delivery network (CDN). In June 2018, it achieved top-level project status under the Apache Software Foundation.

The vulnerability was discovered by security researcher Yuan Luo from Tencent Security Lab. To mitigate potential attacks, users are strongly advised to update Apache Traffic Control to version 8.0.2.

In addition to this fix, the Apache Foundation has addressed other significant vulnerabilities. These include an authentication bypass in Apache HugeGraph-Server (CVE-2024-43441), which impacts versions 1.0 through 1.3 and has been resolved in version 1.5.0. Furthermore, a critical vulnerability in Apache Tomcat (CVE-2024-56337), which under certain conditions could lead to remote code execution, has also been patched recently.

Users are urged to apply these updates promptly to ensure the security of their systems and mitigate the risk of exploitation.