Advisory August 5, 2024

Apache InLong Critical Vulnerability with CVE-2024-36268

The Obrela Threat Intelligence Team

A vulnerability has been identified in Apache InLong. The vulnerability could allow an attacker to perform Code Injection against InLong software. The vulnerability (CVE-2024- 36268) has a Critical CVSSv3.1 score of 9.8 out of 10.

Description:

CVE-2024-36268 is an Improper Control of Generation of Code (‘Code Injection’) vulnerability found in Apache InLong versions 1.10.0 through 1.12.0, which if exploited can lead to Remote Code Execution (RCE). This would allow an attacker to execute arbitrary code at will against a server as long as they have any adjacent network access to a vulnerable system. Due to InLong being an integration framework for massive amounts of data being used across multiple different industries the potential for data leakage and malicious exploitation are significant, and all businesses using the software should ensure they are not on a vulnerable version.

Affected Versions:

The issue affects customers with Apache InLong versions starting from 1.10.0 up to 1.12.0.

Recommendations:

  • To mitigate this critical vulnerability, organizations running Apache InLong should ensure the latest automatic updates (minimum 1.13.0) are properly applied.
  • Ensure automatic updates are enabled for future instances.

 

References: