CVE-2024-37902 (CVSS 10): Critical Flaw in Deep Java Library Opens Door to System Takeover

by do son · Published June 17, 2024 · Updated June 18, 2024

A critical vulnerability (CVE-2024-37902) has been discovered in the Deep Java Library (DJL), a widely-used open-source framework for deep learning projects. The flaw allows attackers to overwrite critical system files, potentially granting them full control over affected systems. The issue affects all DJL versions prior to 0.28.0.

Inside the Vulnerability

The CVE-2024-37902 vulnerability stems from how DJL handles archived artifacts, which are collections of files used in deep learning models. Malicious actors can craft these artifacts to contain files with absolute paths, essentially instructing the system to place them in specific, sensitive locations. This enables attackers to overwrite configuration files, executables, or even core operating system components.

Why This Matters

Deep Java Library is a cornerstone for many Java-based AI and machine learning applications. Its popularity and ease of use make it a prime target for exploitation. The vulnerability’s severity (rated 10 out of 10 on the CVSS scale) underscores the urgency for immediate action.

A successful attack could result in:

Unauthorized access: Attackers gain access to sensitive data or systems they shouldn’t have permission to.
Data loss or corruption: Critical files could be modified or deleted, causing disruption or even financial damage.
Complete system compromise: In the worst-case scenario, attackers could seize control of the entire system, using it for malicious purposes like spreading malware or mining cryptocurrency.

Who’s at Risk?

Any organization or individual using Deep Java Library versions 0.1.0 through 0.27.0 is at risk. This includes:

Developers: Those building AI or machine learning applications with DJL.
Enterprises: Companies using DJL in their production environments for data analysis, automation, or other tasks.
Researchers: Academic institutions and research labs leveraging DJL for their projects.

Urgent Action Required

The maintainers of Deep Java Library have addressed the vulnerability in version 0.28.0. Additionally, they’ve released patched container images for those using the Large Model Inference feature. Users are strongly advised to upgrade immediately to protect their systems.

For detailed instructions and patched container versions, please refer to the official Deep Java Library GitHub repository.

Security experts warn that the widespread use of DJL means this vulnerability could have a significant impact if left unpatched.