CVE-2023-24977 – This CVE describes an out-of-bounds read vulner... (How to Fix)

Q: What is the severity of CVE-2023-24977?

CVE-2023-24977 has a CVSS score of 7.5 (HIGH). This CVE describes an out-of-bounds read vulnerability in Apache InLong that could allow attackers to read sensitive information from memory. It affects Apache InLong versions 1.1.0 through 1.5.0. The vulnerability could lead to information disclosure or be used as part of a larger attack chain.

📋 TL;DR

This CVE describes an out-of-bounds read vulnerability in Apache InLong that could allow attackers to read sensitive information from memory. It affects Apache InLong versions 1.1.0 through 1.5.0. The vulnerability could lead to information disclosure or be used as part of a larger attack chain.

💻 Affected Systems

Products:

Apache InLong

Versions: 1.1.0 through 1.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments running affected versions are vulnerable regardless of configuration.

📦 What is this software?

Inlong by Apache

View all CVEs affecting Inlong →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive data from memory including credentials, configuration secrets, or other application data, potentially leading to full system compromise.

🟠

Likely Case

Information disclosure of application memory contents, which could reveal sensitive data or be used to bypass security controls.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Out-of-bounds read vulnerabilities typically require some knowledge of the target system but can be exploited without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest version after 1.5.0

Vendor Advisory: https://lists.apache.org/thread/ggozxorctn3tdll7bgmpwwcbjnd0s6w7

Restart Required: Yes

Instructions:

1. Upgrade to Apache InLong version 1.6.0 or later. 2. Alternatively, apply the fix from GitHub PR #7214. 3. Restart all InLong services after patching.

🔧 Temporary Workarounds

Network segmentation

all

Restrict network access to InLong services to only trusted sources

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for unusual memory access patterns or crashes

🔍 How to Verify

Check if Vulnerable:

Check InLong version: if between 1.1.0 and 1.5.0 inclusive, system is vulnerable

Check Version:

Check InLong configuration files or application logs for version information

Verify Fix Applied:

Verify version is 1.6.0 or later, or that GitHub PR #7214 has been applied

📡 Detection & Monitoring

Log Indicators:

Application crashes, memory access errors, or unusual out-of-bounds read attempts

Network Indicators:

Unusual requests to InLong endpoints, especially those triggering memory operations

SIEM Query:

Search for application logs containing memory access errors or segmentation faults related to InLong

📊 Metadata

CVE ID: CVE-2023-24977

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: February 1, 2023

Last Updated: March 27, 2025

🔗 References

https://lists.apache.org/thread/ggozxorctn3tdll7bgmpwwcbjnd0s6w7 Mailing List,Vendor Advisory
https://lists.apache.org/thread/ggozxorctn3tdll7bgmpwwcbjnd0s6w7 Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24977, you might also want to check these: