CVE-2024-45772

Remote Code Execution
Affects
Apache Lucene
>=4.4.0 <9.12.0
in
Apache Solr & Lucene
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Apache Lucene is a high-performance, full-text search library written in Java that provides powerful indexing and search capabilities. It is widely used for building search engines and applications that require efficient text retrieval, offering features like ranked searching, phrase queries, and filtering. Lucene enables developers to create scalable and customizable search solutions by indexing structured and unstructured data. It serves as the core search technology for popular search platforms like Elasticsearch and Apache Solr, making it a foundational tool for modern search applications.

A Remote Code Execution (RCE) vulnerability (CVE-2024-45772) has been identified in the Apache Lucene Replicator. This vulnerability allows attackers to deserialize untrusted data.

Per the Open Web Application Security Project (OWASP): "Code Injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."

This issue affects multiple versions below 9.12.0

Details

Module Info

Vulnerability Info

The Apache Lucene Replicator module has a Deserialization of Untrusted Data vulnerability affecting versions 4.4.0 through 9.11.x. Specifically, the deprecated org.apache.lucene.replicator.http package is vulnerable, while the org.apache.lucene.replicator.nrt package remains unaffected.

To resolve this issue, users should upgrade to version 9.12.0, which includes a fix. The vulnerability can only be exploited if users deploy a network-accessible implementation along with a client that utilizes an HTTP library to interact with the affected API (e.g., a custom servlet and HTTPClient).

Credit

  • streichsbaer

Mitigation

Apache Lucene versions below or equal to 8.11.4 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Apache Lucene to 9.12.0 or add -Djdk.serialFilter='!*' option to JVM.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2024-45772
PROJECT Affected
Apache Lucene
Versions Affected
>=4.4.0 <9.12.0
Published date
March 21, 2025
≈ Fix date
March 21, 2025
Severity
Medium
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
Apache Solr & Lucene NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.