Apache InLong project reports critical flaw in its TubeMQ component
Take action: If you are using Apache InLong, first check whether the TubeMQ is exposed to the internet or not. If it's exposed, patch ASAP. If not, plan for a patch by cherry-picking the patch code or just upgrade to the latest version of Apache InLong. Unfortunately, upgrading may be a tedious process, so patching may be a first choice.
Learn More
The Apache InLong project, a data integration framework designed for managing large-scale data streams, has issued an urgent security advisory regarding a critical vulnerability in its TubeMQ component.
The flaw, tracked as CVE-2024-36268 (CVSS score 9.8), allows remote attackers to execute arbitrary code on affected systems. The vulnerability is located in the TubeMQ Client, a part of the InLong framework that enables communication with the TubeMQ message queue system. This component is used to ensure the smooth and secure transmission of data within the framework .The identified flaw permits code injection, which could be exploited by malicious actors to gain unauthorized control over the system. This could lead to severe breaches of data integrity and confidentiality, impacting the sensitive information processed through InLong.
The InLong team has released version 1.13.0 of the framework, which addresses the identified security flaw. Users of Apache InLong are strongly urged to upgrade to this latest version without delay to protect their systems from potential exploitation.
