Apache Traffic Control platform got a critical security patch that addresses a major vulnerability that could let attackers execute arbitrary SQL commands on its database. It has got a severity rating of 9.9, and can potentially lead to unauthorized data access or modification by adversaries.
Severe SQL Injection Flaw in Apache Traffic Control Uncovered
The flaw, identified as CVE-2024-45387, carries a CVSS severity score of 9.9 out of 10 – a pretentious mark. According to the project team, the issue is an SQL injection vulnerability that could be exploited by a privileged user assigned roles like ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering.’ All it takes is crafting a malicious PUT request to gain access to all the data stored on an instance.
For those who might not know, Apache Traffic Control is an open-source solution for building and managing content delivery networks. CDNs play a critical role in maintaining content accessibility around the globe, and the solution from Apache, as a well-known software vendor, is exceptionally popular. Potential scale of impact may touch tens of thousands of companies around the world.
Accessing the data can lead to a whole range of consequences. Malicious actors can steal it or use it to plan further attacks on the company’s infrastructure. If a CDN maintained with the Traffic Control platform carries any executable files or installers, hackers can inject an infected file – a direct pathway to a supply chain attack.
The vulnerability sits in the way Apache Traffic Control handles the requests. The said crafted PUT request is able to slip through the security systems because of the incorrect neutralization of certain parts of the command. Although falling under the classic definition of SQL injection, it differs wildly from one vulnerability to another.
On top of all this, adversaries trying to exploit the flaw do not require any permissions. That is, in fact, the reason for the 9.9 CVSS rating: anyone from anywhere can abuse this flaw, and there is no password or 2FA that can stop that from happening.
Apache Fixes CVE-2024-45387
One fortunate moment about this vulnerability is that its existence became known long after the release of a version that has the issue fixed. The official recommendation from Apache is to install it as soon as possible; there is no mitigation available to temporarily block the exploitation possibilities before the proper update.
The list of versions affected by the flaw is rather modest – it is only about versions 8.0.0 and 8.0.1 of Apache Traffic Control, released earlier this year. Version 8.0.2, that they’ve published in October 2024, is not affected by the issue; all 7.x.x versions are free of any danger, too.
