CVE-2024-52577
Published: 14 February 2025
Summary
CVE-2024-52577 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Ignite. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation of flaws through patching or upgrading Apache Ignite to version 2.17.0 or later directly eliminates the deserialization vulnerability exploited by crafted malicious messages.
Validating all incoming Ignite messages as external untrusted inputs prevents deserialization of malicious objects whose classes are present in the server classpath.
Monitoring and controlling communications at external boundaries can filter or block crafted Ignite messages targeting vulnerable endpoints from reaching the server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization RCE against publicly accessible Ignite endpoints directly matches exploitation of public-facing applications.
NVD Description
In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present…
more
in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.
Deeper analysisAI
CVE-2024-52577 is a critical deserialization vulnerability (CWE-502) in Apache Ignite versions from 2.6.0 and before 2.17.0. It occurs because configured Class Serialization Filters are ignored for some Ignite endpoints, enabling the server to process untrusted serialized data without restrictions. This flaw allows deserialization of malicious objects whose classes are present in the Ignite server classpath, potentially leading to arbitrary code execution on the server side.
A remote, unauthenticated attacker can exploit this vulnerability by manually crafting an Ignite message containing a suitable deserialization gadget and sending it to affected Ignite server endpoints. Upon receipt and deserialization by the server, the gadget can trigger arbitrary code execution with the privileges of the Ignite process. The CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects network accessibility, high attack complexity, changed scope, and high impact across confidentiality, integrity, and availability.
Advisories from the Apache mailing list (https://lists.apache.org/thread/1bst0n27m9kb3b6f6hvlghn182vqb2hh) and OSS-Security (http://www.openwall.com/lists/oss-security/2025/02/14/2) published on 2025-02-14 detail the issue and confirm it is addressed in Apache Ignite 2.17.0, where serialization filters are properly enforced on the affected endpoints. Security practitioners should prioritize upgrading to version 2.17.0 or later to mitigate the risk.
Details
- CWE(s)