Recently, The Apache Software Foundation (ASF) announced vital security updates for fixing a critical SQL injection vulnerability in Traffic Control which is a commonly used tool for Content Delivery Networks (CDN). This vulnerability, on successful exploitation, could permit attackers to execute arbitrary SQL commands potentially compromising the database.
This vulnerability has been rated with the utmost severity at 9.9 on CVSS because of its dangerous nature and has been assigned CVE-2024-45387. Apache Traffic Control versions 8.0.0 and 8.0.1 are under this vulnerability.
An attacker on behalf of a privileged user having roles like ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering’ can make the application state compromised by sending a specially crafted PUT request that allows the user to execute arbitrary SQL commands.
As of June 2018, Apache Traffic Control, a cutting-edge open-source Content Delivery Network (CDN) implementation, was promoted to a top-level project by the ASF.
The vulnerability, located by Yuan Luo, a researcher for Tencent YunDing Security Lab, has been patched up in Apache Traffic Control version 8.0.2. This patch comes on the heels of ASF’s most recent major fix for Apache Tomcat (CVE-2024-56337), which may lead to remote code execution under certain conditions, as well as an authentication bypass vulnerability patch in Apache HugeGraph-Server (CVE-2024-43441)-related problems.
At Bluefire Redteam, we are committed to staying ahead of emerging security threats, ensuring your systems remain secure. We recommend that all users promptly update their Apache Traffic Control instances to the latest version to protect against potential exploitation.
With Bluefire Redteam’s expert guidance, your organization can confidently navigate the evolving cybersecurity landscape. Stay proactive, stay secure.