Apache Fixes RCE Flaw in Lucene.NET Search Engine

The Apache Software Foundation has fixed a remote code execution vulnerability in its Lucene.NET search engine, a bug that affected many of the current versions of the 4.8 beta tree. 

CVE: CVE-2024-43383

Why It Matters: Lucene.NET is a popular code library and API that implements a full text-based search engine for .NET applications. The bug itself is a deserialization flaw in the library and an attacker who is able to exploit it can gain arbitrary code execution on the target application.

“An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access,” the advisory says. 

Key Details: 

• Affects versions 4.8.0-beta00005 through 4.8.0-beta00016

• Remotely exploitable

• Results from improper handling of untrusted user input 

• Requires the attacker to have the ability to intercept traffic between the client and server or control the replication node URL

What To Do Now: Install the updated version of the library, which is 4.8.0-beta00017.