Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN099

_____________________________________________________________________

DATE                : 18/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache EventMesh versions prior to
                                      1.11.0-release.

=====================================================================
https://lists.apache.org/thread/jltn9wncb7qll3dqp9mmkdmn8msg90ot
_____________________________________________________________________

CVE-2024-56180: Apache EventMesh: raft Hessian Deserialization
Vulnerability allowing remote code execution
Severity: moderate

Affected versions:

- Apache EventMesh unaffected

Description:

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft
plugin module in Apache EventMesh master branch without release
version on windows\linux\mac os e.g. platforms allows attackers to
send controlled message and remote code execute via hessian
deserialization rpc protocol. Users can use the code under the
master branch in project repo or version 1.11.0-release to fix this
issue.


Credit:

yulate (reporter)
Au5t1n (reporter)
h3h3qaq (reporter)
X1r0z (reporter)


References:

https://eventmesh.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-56180


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================