The US Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache HugeGraph-Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the bug is being actively exploited.
The addition also forces federal agencies to apply a patch by the Oct. 9 deadline or stop using the vulnerable product altogether.
The bug in question is a remote command execution flaw in the Gremlin graphics navigation language API. It has a severity score of 9.8 and affects all versions of the software prior to 1.3.0. It is tracked as CVE-2024-27348 and was patched months ago, in April.
Four more bugs
In addition to installing the patch, users are advised to use Java 11 and enable the authentication system. Additionally, it was added that they should enable the “Whitelist-IP/port” feature, as it improves the security of the RESTful API execution.
In mid-July this year, the Shadowserver Foundation said it found evidence of the flaw being exploited, adding that the PoC code has been public since early June.
“If you use HugeGraph, be sure to update it,” the organization said at the time.
Apache HugeGraph is an open source graph database system that supports storing and querying billions of vertices and edges. Implemented using the Apache TinkerPop3 framework, it fully supports the Gremlin query language, enabling complex graph queries and analysis.
In addition to the RCE flaw, CISA added four other flaws to the KEV catalog: a Microsoft SQL Server Reporting Services remote code execution vulnerability (CVE-2020-0618), a Microsoft Windows Task Scheduler privilege escalation vulnerability (CVE-2019-1069), an Oracle JDeveloper remote code execution vulnerability (CVE-2022-21445), and an Oracle WebLogic Server remote code execution vulnerability (CVE-2020-14644).
Adding these bugs to the catalog doesn't necessarily mean they're currently being exploited, BleepingComputer reports, it just means they were exploited at some point in the past.
Through Computer beeping