IGA CVE-2024-52046: Apache MINA Deserialization RCE Vulnerability
Article ID: 385148
Updated On:
Products
CA Identity Suite
CA Identity Manager
CA Identity Portal
CA Identity Governance
Issue/Introduction
According to CVE-2024-52046, there's a critical vulnerability found in Apache MINA core versions 2.0.X, 2.1.X and 2.2.X (https://github.com/advisories/GHSA-76h9-2vwh-w278).
See also:
- https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
- https://www.openwall.com/lists/oss-security/2024/12/25/1
We found out that there is a file named mina-core-2.0.0-RC1.JAR under the Connector Server installation folder:
C:\Program Files (x86)\CA\Identity Manager\Connector Server\system\org\apache\mina\mina-core\2.0.0-RC1
There's also a file called mina-core-2.1.6.JAR under the Jaspersoft Reports installation folder C:\apache-tomcat-9.0.96\webapps\jasperserver-pro\WEB-INF\lib.
Environment
IGA 14.5.X
Resolution
Development provided a hotfix for 14.5 SP1 CHF1 - HF_CS-14.5.1-20250123091437-DE624172.tgz.gpg
The hotfix will also be part of the next release of the IGA product.
Additional Information
Jasper fix is being worked on by the Jasper team.
Feedback
Yes
No
Powered by
