The Apache Software Foundation (ASF) has recently issued critical security updates to address a significant vulnerability in Apache Traffic Control. This flaw presents an opportunity for attackers to execute unauthorized Structured Query Language (SQL) commands against the database, should the exploit be successful. The vulnerability, identified as CVE-2024-45387, has been assigned a serious severity score of 9.9 out of 10.0 according to the Common Vulnerability Scoring System (CVSS).
The vulnerability exists in the Traffic Ops component of Apache Traffic Control versions 8.0.1 and earlier, as well as 8.0.0. It allows users with specific administrative roles—such as ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering’—to carry out arbitrary SQL commands via a specially crafted PUT request. The details of the vulnerability have been outlined by the project maintainers in an advisory shared with the community.
Apache Traffic Control is an open-source solution designed for managing Content Delivery Networks (CDNs). It has been a top-level project (TLP) since its announcement by ASF in June 2018. Its widespread use makes this vulnerability particularly concerning for organizations relying on this technology for efficient data distribution.
The researcher credited with discovering and reporting this vulnerability is Yuan Luo from Tencent YunDing Security Lab. The recent updates incorporate patches to mitigate the risks associated with CVE-2024-45387, with the patched version for Apache Traffic Control being 8.0.2.
This development follows ASF’s resolution of another security issue—a serious authentication bypass flaw in Apache HugeGraph-Server (CVE-2024-43441) affecting versions 1.0 to 1.3. The corrective measures were introduced in version 1.5.0 of the platform. Furthermore, the ASF has also addressed a notable vulnerability in Apache Tomcat (CVE-2024-56337), which posed a risk of remote code execution under certain circumstances.
Organizations utilizing Apache Traffic Control are strongly advised to update their systems to the latest version to ensure they are protected from this new threat. The rapid evolution of these vulnerabilities underscores the necessity for business owners to stay vigilant and proactive about software updates and cybersecurity practices.
In looking at potential tactics utilized in this exploit, the MITRE ATT&CK framework suggests scenarios involving initial access through user privileges and possible privilege escalation techniques inherent in SQL injection attacks. By understanding the methods and potential pathways of this vulnerability, businesses can better secure their systems against such intrusive threats.