Apache HugeGraph-Server flaw actively exploited, CISA warns

News
By published

The vulnerability has been patched months ago

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache HugeGraph-Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that the bug is actively being exploited in the wild.

The addition also forces federal agencies to apply a patch before the October 9 deadline, or stop using the vulnerable product altogether.

The bug in question is a remote command execution flaw in the Gremlin graph traversal language API. It carries a severity score of 9.8, and affects all versions of the software prior to 1.3.0. It is tracked as CVE-2024-27348, and it was patched months ago - in April.

Four more bugs

Besides installing the patch, users are also recommended to use JAva 11 and enable the Auth system. Furthermore, they should enable the “Whitelist-IP/port” function, since it improves the security of the RESTful-API execution, it was added.

In mid-July this year, the Shadowserver Foundation said it found evidence of the flaw’s exploitation, adding that the PoC code has been public since early June.

“If you run HugeGraph, make sure to update,” the organization said at the time.

Apache HugeGraph is an open source graph database system, supporting the storage and querying of billions of vertices and edges. Implemented with the Apache TinkerPop3 framework, it is fully compatible with the Gremlin query language, allowing for complex graph queries and analyses.

Besides the RCE flaw, CISA added another four flaws to the KEV catalog - a Microsoft SQL Server Reporting Services Remote Code Execution vulnerability (CVE-2020-0618), a Microsoft Windows Task Scheduler Privilege Escalation vulnerability (CVE-2019-1069), an Oracle JDeveloper Remote Code Execution vulnerability (CVE-2022-21445), and an Oracle WebLogic Server Remote Code Execution vulnerability (CVE-2020-14644).

Adding these bugs to the catalog doesn’t necessarily mean they are currently being exploited, BleepingComputer reports, it just means that they were being exploited at some point in the past.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Apache Foundation urges users to patch now and fix major security worries
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
FlexiSpot office furniture next to a TechRadar-branded badge that reads Big Savings.

Upgrade your home office for under $500 in the Amazon Spring Sale: My top picks and biggest savings
See more latest
Most Popular
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar is a new microphone with the world's first Bluetooth audio gateway in a wired gaming mic
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 26 (game #1157)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Wednesday, March 26 (game #388)