CVE-2024-52046

Summary

CVE-2024-52046 is a remote code execution vulnerability affecting Apache MINA core versions 2.0.X, 2.1.X, and 2.2.X. The issue lies in the ObjectSerializationDecoder's use of Java's native deserialization protocol without adequate security checks. Attackers can exploit this by sending malicious serialized data, potentially leading to RCE attacks. Applications using MINA core library will only be affected if the IoBuffer#getObject() method is called, specifically when adding a ProtocolCodecFilter instance with the ObjectSerializationCodecFactory class in the filter chain. To mitigate the risk, upgrade to the latest versions (2.0.27, 2.1.10, and 2.2.4) and configure the decoder to accept only trusted classes using one of the new methods provided in the ObjectSerializationDecoder class. By default, the decoder rejects all incoming classes. The FtpServer, SSHd, and Vysper sub-projects are not affected by this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.