CVE-2024-52577

CVE-2024-52577 is a critical deserialization vulnerability (CWE-502) in Apache Ignite versions from 2.6.0 and before 2.17.0. It occurs because configured Class Serialization Filters are ignored for some Ignite endpoints, enabling the server to process untrusted serialized data without restrictions. This flaw allows deserialization of malicious objects whose classes are present in the Ignite server classpath, potentially leading to arbitrary code execution on the server side.

A remote, unauthenticated attacker can exploit this vulnerability by manually crafting an Ignite message containing a suitable deserialization gadget and sending it to affected Ignite server endpoints. Upon receipt and deserialization by the server, the gadget can trigger arbitrary code execution with the privileges of the Ignite process. The CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects network accessibility, high attack complexity, changed scope, and high impact across confidentiality, integrity, and availability.

Advisories from the Apache mailing list (https://lists.apache.org/thread/1bst0n27m9kb3b6f6hvlghn182vqb2hh) and OSS-Security (http://www.openwall.com/lists/oss-security/2025/02/14/2) published on 2025-02-14 detail the issue and confirm it is addressed in Apache Ignite 2.17.0, where serialization filters are properly enforced on the affected endpoints. Security practitioners should prioritize upgrading to version 2.17.0 or later to mitigate the risk.