CVE-2024-27905 – This vulnerability in Apache Aurora allows unau... (How to Fix)

Q: What is the severity of CVE-2024-27905?

CVE-2024-27905 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Apache Aurora allows unauthenticated attackers to exploit an information disclosure endpoint as a padding oracle to forge valid authentication cookies. This could potentially lead to authentication bypass and, when combined with other vulnerabilities, remote code execution. Only affects retired Apache Aurora installations that are no longer supported.

📋 TL;DR

This vulnerability in Apache Aurora allows unauthenticated attackers to exploit an information disclosure endpoint as a padding oracle to forge valid authentication cookies. This could potentially lead to authentication bypass and, when combined with other vulnerabilities, remote code execution. Only affects retired Apache Aurora installations that are no longer supported.

💻 Affected Systems

Products:

Apache Aurora

Versions: All versions (project is retired)

Operating Systems: All platforms running Apache Aurora

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Apache Aurora instances. Project is officially retired with no planned fixes.

📦 What is this software?

Aurora by Apache

View all CVEs affecting Aurora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through authentication bypass combined with other vulnerabilities, potentially leading to full system compromise.

🟠

Likely Case

Authentication bypass allowing unauthorized access to sensitive Aurora functionality and data.

🟢

If Mitigated

Limited information disclosure about internal system state without authentication bypass.

🌐 Internet-Facing: HIGH - Unauthenticated exploit allows remote attackers to forge authentication cookies.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires understanding of padding oracle attacks but no authentication needed. Could be combined with other vulnerabilities for RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - project retired

Vendor Advisory: https://lists.apache.org/thread/564kbv3wqdzkscmdn2bg4vlk48qymryp

Restart Required: No

Instructions:

No official patch available. Project maintainers recommend migrating to alternative solutions.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to Apache Aurora instances to trusted networks only

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [aurora_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [aurora_port] -j DROP

Authentication Layer

all

Add additional authentication layer in front of Aurora

Configure reverse proxy with authentication: nginx or apache with auth_basic
Implement IP whitelisting at load balancer level

🧯 If You Can't Patch

Migrate to alternative scheduler/orchestration system (Mesos with Marathon, Kubernetes, Nomad)
Isolate Aurora instances in separate network segments with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check if Apache Aurora is running and accessible without authentication. Test endpoint exposure using curl: curl -v http://[aurora_host]:[port]/api

Check Version:

Check Aurora version via API: curl http://[aurora_host]:[port]/api/v1/version or check running process

Verify Fix Applied:

Verify network restrictions are in place by testing access from unauthorized networks. Confirm additional authentication layer requires credentials.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts from new IPs
Multiple failed authentication attempts followed by successful login
Access to sensitive endpoints without authentication logs

Network Indicators:

Unusual traffic patterns to Aurora authentication endpoints
Multiple requests to padding oracle endpoint from single source
Traffic from unexpected networks to Aurora ports

SIEM Query:

source="aurora.log" AND ("authentication" OR "cookie") AND status="200" AND src_ip NOT IN [trusted_networks]

📊 Metadata

CVE ID: CVE-2024-27905

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-200

Published: February 27, 2024

Last Updated: July 10, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/02/27/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/564kbv3wqdzkscmdn2bg4vlk48qymryp Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/27/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/564kbv3wqdzkscmdn2bg4vlk48qymryp Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27905, you might also want to check these: