Apache reports critical flaw in Ignite distributed database enabling Remote Code Execution

A critical security vulnerability has been identified in Apache Ignite, affecting all versions from 2.6.0 up to but not including 2.17.0. 

The vulnerability is tracked as CVE-2024-52577 (CVSS score 9.8), allows remote attackers to execute arbitrary code on vulnerable servers through insecure deserialization. The vulnerability stems from Apache Ignite's server nodes improperly handling incoming messages during the deserialization process.

The vulnerability can be exploited when an attacker crafts a specific Ignite message containing a malicious object, the target server's classpath includes the attacker-chosen class, the message is sent to Ignite server endpoints where class serialization filters are bypassed, and the deserialization process executes with the same privileges as the Ignite process. 

A successful exploitation of this vulnerability could result in full server compromise, data exfiltration, lateral movement within the infrastructure, and remote code execution with Ignite process privileges.

Apache Ignite has fixed this vulnerability in version 2.17.0. For environments where immediate upgrading is not feasible, several interim security measures are recommended: 

• Network segmentation to limit access to Ignite nodes (TCP ports 47100, 47500-47501) to trusted IP ranges only. 
• deploy runtime monitoring through intrusion detection systems to identify suspicious deserialization patterns
• enable JVM-level protections by implementing the JVM's native deserialization filter (jdk.serialFilter) to block high-risk packages.

As of February 19, 2025 no active exploits have been reported. Security experts anticipate the development of proof-of-concept code given the critical nature of the vulnerability.