The Apache Software Foundation (ASF) has issued patches for a critical vulnerability (CVE-2024-52046) in the Apache MINA Java network framework. Rated with a CVSS score of 10.0, the flaw arises from insecure deserialization in the ObjectSerializationDecoder. Exploitation could lead to remote code execution (RCE) but requires specific conditions, such as invoking the IoBuffer#getObject() method with certain classes like ProtocolCodecFilter and ObjectSerializationCodecFactory. To mitigate the issue, users must upgrade to patched versions and configure the ObjectSerializationDecoder to explicitly allow safe classes.

The ASF also recently addressed vulnerabilities in other projects, including Tomcat, Traffic Control, HugeGraph-Server, and Struts. Users are urged to update their systems promptly to prevent exploitation.

‍