Apache has released a security patch for a critical SQL injection vulnerability identified in its Traffic Control software, tracked as CVE-2024-45387, with a severity rating of 9.9/10 on the CVSS scale. The vulnerability affects versions 8.0.1 and below of Traffic Ops, which is a core component of Apache Traffic Control, a popular open-source Content Delivery Network (CDN) solution. The flaw allows privileged users to send specially crafted PUT requests to execute arbitrary SQL commands on the underlying database, posing a significant risk to the affected systems.
The vulnerability was discovered by Yuan Luo from Tencent YunDing Security Lab. It allows attackers with roles such as admin, federation, operations, portal, or steering to gain unauthorized access to the database, leading to potential data breaches or further exploitation. The flaw highlights the importance of securing web applications, especially those with high privileges that interact with sensitive data and infrastructure. It was reported to the Apache Software Foundation (ASF), who responded quickly by releasing a patch to mitigate the issue.
This critical vulnerability follows other recent security updates from Apache. For example, an authentication bypass vulnerability was addressed in Apache HugeGraph-Server (CVE-2024-43441), and a remote code execution (RCE) flaw in Apache Tomcat (CVE-2024-56337) was patched. These vulnerabilities underscore the growing challenges faced by open-source software maintainers in protecting their users from emerging threats. Apache has consistently worked to resolve such vulnerabilities, demonstrating its commitment to the security of its projects.
Users of Apache Traffic Control are strongly urged to update to version 8.0.2 or later to protect against potential attacks. With the high risk associated with this SQL injection flaw, failure to patch systems could lead to severe consequences, including unauthorized data access and compromise of internal infrastructure. By promptly applying the patch, users can ensure that their systems are secured and that the integrity of their operations is maintained.
