Apache Ignite High-Risk Vulnerability: Attackers can execute arbitrary code

Apache Ignite is a memory-centric, distributed data organization framework that is commonly used for caching and processing of transactional, analytical, and streaming workloads.

The Apache Ignite development team recently released a high-risk vulnerability (CVE-2014-0114) alert on the  Apache mailing list. All Ignite 2.4 and earlier versions will be affected.

By Apache Software Foundation [Copyrighted free use], via Wikimedia Commons

It is reported that Apache Ignite uses the commons-beanutils-1.8.3.jar library. “Apache Ignite used commons-beanutils-1.8.3.jar library which did not suppress the class property, which allowed remote attackers to “manipulate” the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.”

The development team recommends that users ensure that there are no vulnerable classes in the custom code used in Apache Ignite, and if so, upgrade to Ignite 2.5 or higher as soon as possible.