Apache’s maintainers on Dec. 23 released patches for a critical 9.9 vulnerability in the Traffic Ops component of Apache Traffic Control versions 8.0.0 and 8.0.1.
The flaw — CVE-2024-45387 — lets attackers with privileged roles such as “admin” or “operations” inject malicious SQL commands through specially crafted PUT requests.
By manipulating input fields that interact with the database, an attacker can execute SQL queries that could compromise the entire database.
Apache Traffic Control is an open-source platform that orchestrates the distribution of web content. It promises to control traffic flow, optimize delivery paths, and ensure efficient content caching across multiple servers.
Security pros considered this flaw very serious given the important role Apache Traffic Control plays in managing web content and data.
“Exploiting this vulnerability could lead to unauthorized data access, modification, or deletion, severely impacting the integrity and availability of the content delivery network (CDN) services managed by Apache Traffic Control,” said Jason Soroko, senior fellow at Sectigo. “It’s important to update immediately to protect systems from SQL-based attacks and ensure the security of CDN operations.”
Lawrence Pingree, vice president at Dispersive, added that this hack demonstrates a method for letting the hacker directly access an SQL database. Pingree said it’s similar to SQL injection attacks, which essentially let the attacker exfiltrate the database by querying it directly.
“So, if a website uses Apache Traffic Control, the attackers could breach the data in the database and download all the data,” said Pingree. “Ultimately, the role requirements limits the potential blast radius, since the attacker would also need to breach the user's credentials before using the exploit.”
