Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now

A critical SQL injection vulnerability, identified as CVE-2024-45387, has been discovered in Apache Traffic Control, affecting versions 8.0.0 and 8.0.1 of the Traffic Ops component. Here are the key details and updates:

Vulnerability Details

• CVE-2024-45387: This vulnerability is rated 9.9 out of 10 on the CVSS scoring system, indicating a critical severity125.
• Impact: The vulnerability allows a privileged user with roles such as 'admin', 'federation', 'operations', 'portal', or 'steering' to execute arbitrary SQL against the database by sending a specially-crafted PUT request125.
• Consequences: This could lead to data breaches, unauthorized access, and potentially a complete system takeover12.

Patching and Updates

• Patch Release: The vulnerability has been addressed in Apache Traffic Control version 8.0.2125.
• Recommendation: Organizations using Apache Traffic Control are strongly urged to upgrade to the latest version, specifically version 8.0.2, to protect against potential threats12.

Discovery and Reporting

• Discovery: The vulnerability was discovered by Yuan Luo from Tencent YunDing Security Lab12.

Context

• Apache Traffic Control: This is an open-source platform used to build large-scale content delivery networks (CDNs). It is built around Apache Traffic Server and helps operators establish robust CDNs12.

Related Security Updates

• Other Vulnerabilities: The Apache Software Foundation has also addressed other vulnerabilities, including an authentication bypass flaw in Apache HugeGraph-Server (CVE-2024-43441) and a patch for an important vulnerability in Apache Tomcat (CVE-2024-56337)2.

Summary

The CVE-2024-45387 vulnerability in Apache Traffic Control is a critical SQL injection flaw that could allow attackers to execute malicious SQL code. It has been patched in version 8.0.2, and users are advised to upgrade immediately to protect against potential threats.