Apache Traffic Control Critical SQLi Vulnerability Fixed

Stephanie Adlam
4 Min Read
CVSS 9.9 Vulnerability in Apache Traffic Control Fixed, Update ASAP
Apache fixes a severe flaw in its Traffic Control platform

Apache Traffic Control platform got a critical security patch that addresses a major vulnerability that could let attackers execute arbitrary SQL commands on its database. It has got a severity rating of 9.9, and can potentially lead to unauthorized data access or modification by adversaries.

Severe SQL Injection Flaw in Apache Traffic Control Uncovered

The flaw, identified as CVE-2024-45387, carries a CVSS severity score of 9.9 out of 10 – a pretentious mark. According to the project team, the issue is an SQL injection vulnerability that could be exploited by a privileged user assigned roles like ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering.’ All it takes is crafting a malicious PUT request to gain access to all the data stored on an instance.

Official vulnerability note Apache Traffic Control
Official nottification regarding the vulnerability in Traffic Control, released by Apache

For those who might not know, Apache Traffic Control is an open-source solution for building and managing content delivery networks. CDNs play a critical role in maintaining content accessibility around the globe, and the solution from Apache, as a well-known software vendor, is exceptionally popular. Potential scale of impact may touch tens of thousands of companies around the world.

Accessing the data can lead to a whole range of consequences. Malicious actors can steal it or use it to plan further attacks on the company’s infrastructure. If a CDN maintained with the Traffic Control platform carries any executable files or installers, hackers can inject an infected file – a direct pathway to a supply chain attack.

The vulnerability sits in the way Apache Traffic Control handles the requests. The said crafted PUT request is able to slip through the security systems because of the incorrect neutralization of certain parts of the command. Although falling under the classic definition of SQL injection, it differs wildly from one vulnerability to another.

On top of all this, adversaries trying to exploit the flaw do not require any permissions. That is, in fact, the reason for the 9.9 CVSS rating: anyone from anywhere can abuse this flaw, and there is no password or 2FA that can stop that from happening.

Apache Fixes CVE-2024-45387

One fortunate moment about this vulnerability is that its existence became known long after the release of a version that has the issue fixed. The official recommendation from Apache is to install it as soon as possible; there is no mitigation available to temporarily block the exploitation possibilities before the proper update.

The list of versions affected by the flaw is rather modest – it is only about versions 8.0.0 and 8.0.1 of Apache Traffic Control, released earlier this year. Version 8.0.2, that they’ve published in October 2024, is not affected by the issue; all 7.x.x versions are free of any danger, too.

Apache Traffic Control Critical SQLi Vulnerability Fixed

Share This Article
Follow:
I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.
1 Comment

AI Assistant

Hello! 👋 How can I help you today?