We would like to inform you on the impact of recently reported vulnerability, CVE-2024-520246. While the vulnerability is still awaiting analysis by NIST to assign a score in NVD (National Vulnerability Database), as other researches have already confirmed a possible severe impact, we would like to share the following information with our Customers.
The vulnerability allows malicious actors to exploit the identified flaw in Apache MINA affecting MINA core versions 2.0.X, 2.1.X and 2.2.X; leading to potential Remote Code Execution (RCE) attacks. It is important to highlight that based on the NVD article the vulnerability is only applicable in case "IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain."
We would like to confirm to our Customers that Chemaxon Products DO NOT include this particular implementation and use of ObjectSerializationDecoder in Apache Mina and therefore our products are not affected by CVE-2024-520246 vulnerability.
Inline with Chemaxon's approach of continuously addressing identified application vulnerabilities, newer releases will also include the applicable remediations for identified, applicable vulnerabilities.