Activity Feed

Remote command execution vuln in Apache HugeGraph-Server, an open-source graph database project. Vendor advisory was published April 22, 2024 and indicates that HugeGraph-Server 1.0.0 prior to 1.3.0 is affected on Java 8 and Java 11. Both those Java versions are on long-term support, which could potentially reduce viable attack surface area somewhat, but we also know both JDK versions are still common in enterprise environments.

Vendor advisory lists the vuln severity as “important” rather than critical, but this solid SecureLayer7 write-up notes the CVSS score should probably be a 9.8, and that the vuln allows an attacker to “bypass the sandbox restrictions and achieve RCE through Gremlin [a query language supported in HugeGraph], resulting in complete control over the server.” Take a look at their June 5, 2024 blog for a full walk-through of exploitation.

The ShadowServer Foundation said on Mastodon July 16 that they were observing RCE exploit attempts for this vulnerability from multiple sources against honeypots. I haven’t personally seen any confirmation of successful exploitation against real-world production environments, but that doesn’t mean it’s not happening. Multiple public exploits and scanners are available, but as of July 26, Rapid7 researchers haven’t tested public PoCs directly — exploitability is an estimate based on available info.

Vendor guidance is to upgrade to version 1.3.0 with Java 11 and enable the Auth system, which purportedly fixes the issue. HugeGraph admins can also “enable the “Whitelist-IP/port” function to improve the security of RESTful-API execution,” per the advisory.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a