Apache Traffic Control Vulnerability Let Attackers Inject Malicious SQL Commands


A critical SQL injection vulnerability, identified as CVE-2024-45387, has been discovered in Apache Traffic Control, a widely used open-source platform for managing large-scale content delivery networks (CDNs).

This vulnerability affects versions 8.0.0 through 8.0.1 of the software and has been assigned a CVSS score of 9.9, indicating its severe impact on system confidentiality, integrity, and availability.

The flaw resides in the Traffic Ops component of Apache Traffic Control. Specifically, it allows a privileged user with roles such as “admin,” “federation,” “operations,” “portal,” or “steering” to execute arbitrary SQL commands against the underlying database by sending a specially-crafted PUT request to the deliveryservice_request_comments endpoint.

This improper neutralization of special elements in SQL commands is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Exploitation of this vulnerability could have devastating consequences, including:

  • Unauthorized access to sensitive information stored in the database.
  • Data manipulation or deletion.
  • Escalation of privileges within the system.
  • Full compromise of the affected infrastructure, potentially disrupting CDN operations.

The vulnerability is particularly concerning because it can be exploited remotely by users with privileged access, making it a critical issue for organizations relying on Apache Traffic Control for their CDN management.

Affected Versions

The vulnerability impacts the following versions:

  • Apache Traffic Control 8.0.0 through 8.0.1
  • Earlier versions (7.x and below) are unaffected.

The Apache Software Foundation has released a patch addressing this issue in version 8.0.2 of Apache Traffic Control. Users running affected versions are strongly urged to upgrade immediately to mitigate the risk of exploitation.

For those unable to update immediately, the following interim measures are recommended:

  1. Restrict access to Traffic Ops for users with affected roles.
  2. Monitor logs for suspicious database queries or activities.
  3. Implement input validation and parameterized queries in custom scripts interacting with Traffic Ops.
  4. Enforce the principle of least privilege by limiting user roles and permissions.

The vulnerability was reported by Yuan Luo from Tencent YunDing Security Lab, highlighting their ongoing contributions to cybersecurity research.

Organizations using Apache Traffic Control should act swiftly to apply the available patch or implement mitigations to protect their systems from potential exploitation. Given its critical severity and potential for widespread impact, addressing CVE-2024-45387 should be a top priority for affected users.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link