Apache Software Foundation reports critical vulnerability in Apache MINA Java network

The Apache Software Foundation has disclosed a critical security vulnerability in the Apache MINA Java network application framework. Apache MINA is a network application framework which helps users develop network applications. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP.

The vulnerability is tracked as CVE-2024-52046 (CVSS score 10.0) stems from the ObjectSerializationDecoder component, which uses Java's native deserialization protocol without implementing proper security checks. This flaw could potentially allow attackers to execute malicious code remotely by sending specially crafted serialized data.

The vulnerability is only exploitable when the IoBuffer#getObject() method is called. This method is specifically invoked when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain.

Affected versions include:

• Apache MINA 2.0 through 2.0.26
• Apache MINA 2.1 through 2.1.9
• Apache MINA 2.2 through 2.2.3

The FtpServer, SSHd, and Vysper sub-projects are not affected by this vulnerability.

The ASF has released patches in versions 2.0.27, 2.1.10, and 2.2.4. However, upgrading alone is insufficient for complete remediation. Users must also implement additional security measures by explicitly allowing classes the decoder will accept in the ObjectSerializationDecoder instance using one of three new methods:

1. accept(ClassNameMatcher classNameMatcher)
2. accept(Pattern pattern)
3. accept(String... patterns)

By default, the new security implementation will reject all classes present in incoming data as a safety measure.