Rewterz Threat Advisory – Multiple Apache Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-23114 CVSS:9.8

Apache Camel could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the CassandraAggregationRepository component. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2024-22369 CVSS:9.8

Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the JDBCAggregationRepository component. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2024-23608 CVSS:5.5

Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.

CVE-2024-25710 CVSS:5.5

Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.

Impact

• Denial of Service
• Gain Access
• Code Execution

Indicators Of Compromise

CVE

• CVE-2024-23114
• CVE-2024-22369
• CVE-2024-23608
• CVE-2024-25710

Affected Vendors

Apache

Affected Products

• Apache Camel 3.0.0
• Apache Camel 3.21.3
• Apache Camel 3.22.0
• Apache Camel 4.0.0
• Apache Camel 4.0.3
• Apache Camel 4.1.0
• Apache Camel 4.3.0
• Apache Commons Compress 1.25.0
• Apache Commons Compress 1.21

Remediation

Refer to the Apache Website for patch, upgrade, or suggested workaround information.

Apache Camel

Apache Commons Compress