CVE-2024-5352
📋 TL;DR
This critical vulnerability in anji-plus AJ-Report allows remote attackers to execute arbitrary code through insecure deserialization in the validationRules function. Organizations using AJ-Report versions up to 1.4.1 are affected, potentially enabling complete system compromise.
💻 Affected Systems
- anji-plus AJ-Report
📦 What is this software?
Aj Report by Anji Plus
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to deploy malware, steal sensitive data, or disrupt reporting services.
If Mitigated
Limited impact if proper network segmentation and input validation are in place, though deserialization vulnerabilities remain dangerous.
🎯 Exploit Status
Exploit details have been publicly disclosed, making weaponization highly probable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.2 or later
Vendor Advisory: https://github.com/anji-plus/report/issues/34
Restart Required: Yes
Instructions:
1. Check current version. 2. Update to AJ-Report 1.4.2 or later. 3. Restart the application. 4. Verify the fix.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to AJ-Report instances to trusted IPs only
iptables -A INPUT -p tcp --dport [AJ-Report-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [AJ-Report-port] -j DROP
Input Validation Filter
allImplement WAF rules to block suspicious deserialization patterns
🧯 If You Can't Patch
- Isolate AJ-Report instances in a dedicated network segment with strict egress filtering
- Implement application-level input validation and monitoring for deserialization attempts
🔍 How to Verify
Check if Vulnerable:
Check the application version in the web interface or configuration files. If version is 1.4.1 or earlier, it is vulnerable.Check Version:
Check application.properties or web interface for version informationVerify Fix Applied:
Verify the application version is 1.4.2 or later and test the validationRules endpoint with safe payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization patterns in application logs
- Stack traces containing 'DataSetParamController' or 'validationRules'
- Unexpected process execution from AJ-Report
Network Indicators:
- Unusual outbound connections from AJ-Report servers
- Suspicious payloads to /datasetparam/verification endpoints
SIEM Query:
source="aj-report" AND ("DataSetParamController" OR "validationRules" OR "deserialization")🔗 References
- https://github.com/anji-plus/report/files/15363269/aj-report.pdf
- https://github.com/anji-plus/report/issues/34
- https://vuldb.com/?ctiid.266264
- https://vuldb.com/?id.266264
- https://github.com/anji-plus/report/files/15363269/aj-report.pdf
- https://github.com/anji-plus/report/issues/34
- https://vuldb.com/?ctiid.266264
- https://vuldb.com/?id.266264
