Apache HugeGraph-Server Remote Code Execution Vulnerability via Insecure Hessian Deserialization
Vulnerability
A remote code execution vulnerability has been identified in Apache HugeGraph-Server versions 1.0.0 through 1.5.0, prior to 1.7.0. This vulnerability allows a malicious Raft node to exploit insecure Hessian deserialization within the PD store, leading to object injection attacks. The issue arises from the lack of proper validation in the deserialization process, which can be manipulated by an adversarial node in the Raft cluster.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where Apache HugeGraph is running.
Remediation
Users are advised to upgrade to Apache HugeGraph-Server version 1.7.0 or later, which addresses this vulnerability by enforcing IP-based authentication to restrict cluster membership and implementing a strict class whitelist to enhance the security of the Hessian serialization process.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.