Apache HugeGraph-Server flaw actively exploited, CISA warns

The vulnerability has been patched months ago

News By Sead Fadilpašić published 20 September 2024

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache HugeGraph-Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that the bug is actively being exploited in the wild.

The addition also forces federal agencies to apply a patch before the October 9 deadline, or stop using the vulnerable product altogether.

The bug in question is a remote command execution flaw in the Gremlin graph traversal language API. It carries a severity score of 9.8, and affects all versions of the software prior to 1.3.0. It is tracked as CVE-2024-27348, and it was patched months ago - in April.

Four more bugs

Besides installing the patch, users are also recommended to use JAva 11 and enable the Auth system. Furthermore, they should enable the “Whitelist-IP/port” function, since it improves the security of the RESTful-API execution, it was added.

In mid-July this year, the Shadowserver Foundation said it found evidence of the flaw’s exploitation, adding that the PoC code has been public since early June.

“If you run HugeGraph, make sure to update,” the organization said at the time.

Apache HugeGraph is an open source graph database system, supporting the storage and querying of billions of vertices and edges. Implemented with the Apache TinkerPop3 framework, it is fully compatible with the Gremlin query language, allowing for complex graph queries and analyses.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors