Apache HugeGraph-Server flaw actively exploited, CISA warns

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache HugeGraph-Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that the bug is actively being exploited in the wild.

The addition also forces federal agencies to apply a patch before the October 9 deadline, or stop using the vulnerable product altogether.

The bug in question is a remote command execution flaw in the Gremlin graph traversal language API. It carries a severity score of 9.8, and affects all versions of the software prior to 1.3.0. It is tracked as CVE-2024-27348, and it was patched months ago – in April.

Four more bugs

Besides installing the patch, users are also recommended to use JAva 11 and enable the Auth system. Furthermore, they should enable the “Whitelist-IP/port” function, since it improves the security of the RESTful-API execution, it was added.

In mid-July this year, the Shadowserver Foundation said it found evidence of the flaw’s exploitation, adding that the PoC code has been public since early June.

“If you run HugeGraph, make sure to update,” the organization said at the time.

Apache HugeGraph is an open source graph database system, supporting the storage and querying of billions of vertices and edges. Implemented with the Apache TinkerPop3 framework, it is fully compatible with the Gremlin query language, allowing for complex graph queries and analyses.

Besides the RCE flaw, CISA added another four flaws to the KEV catalog – a Microsoft SQL Server Reporting Services Remote Code Execution vulnerability (CVE-2020-0618), a Microsoft Windows Task Scheduler Privilege Escalation vulnerability (CVE-2019-1069), an Oracle JDeveloper Remote Code Execution vulnerability (CVE-2022-21445), and an Oracle WebLogic Server Remote Code Execution vulnerability (CVE-2020-14644).

Adding these bugs to the catalog doesn’t necessarily mean they are currently being exploited, BleepingComputer reports, it just means that they were being exploited at some point in the past.

Via BleepingComputer

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/YbizeHRMkF5QLe6eeYypqc-1200-80.jpg

Source link

Tired of EV charging hassle? This start-up wants to solve it with its ‘Face ID for vehicles’

These top wireless fitness earbuds from Beats have dropped to a record-low price

Sending One Email With ChatGPT is the Equivalent of Consuming One Bottle of Water

Microsoft warns US healthcare of threat actor using new ransomware

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

NextNav’s chief accounting officer sells shares worth $5,799 By Investing.com

FTC Sues CVS, Cigna, UnitedHealth over insulin prices

‘A lot holds in the balance’

Houlihan Lokey stock soars to all-time high of $160.64 By Investing.com

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Apache HugeGraph-Server flaw actively exploited, CISA warns

Tired of EV charging hassle? This start-up wants to solve it with its ‘Face ID for vehicles’

NextNav’s chief accounting officer sells shares worth $5,799 By Investing.com

FTC Sues CVS, Cigna, UnitedHealth over insulin prices

‘A lot holds in the balance’

Leave a reply Cancel reply