Yulate

**Name of the Vulnerable Software and Affected Versions** Apache HugeGraph-Server versions prior to 1.7.0 **Description** A remote code execution issue exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Hessian is a binary object serialization format. **Recommendations** Upgrade to version 1.7.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.13.0 through 2.1.0 **Description** The issue is related to the deserialization of untrusted data in Apache InLong, which can lead to the bypass of JDBC URL encoding and backspace. This can potentially cause security problems. **Recommendations** For Apache InLong versions 1.13.0 through 2.1.0, update to version 2.2.0 to resolve the issue. Alternatively, cherry-pick the solution from the provided GitHub pull request to solve it.

**Name of the Vulnerable Software and Affected Versions** Apache EventMesh versions prior to 1.11.0 **Description** The issue concerns the deserialization of untrusted data at the eventmesh-meta-raft plugin module in Apache EventMesh, allowing attackers to send controlled messages and execute remote code via the Hessian deserialization RPC protocol. This affects platforms such as Windows, Linux, and Mac OS. **Recommendations** For versions prior to 1.11.0, users can use the code under the master branch in the project repository or update to version 1.11.0 to fix this issue. As a temporary workaround, consider restricting access to the vulnerable `eventmesh-meta-raft` plugin module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.13.0 through 2.1.0 **Description** The issue is a deserialization of untrusted data in Apache InLong. This can lead to remote code execution through insecure deserialization during JDBC verification. The issue is a secondary mining bypass for CVE-2024-26579. **Recommendations** Upgrade to Apache InLong version 2.2.0 to resolve the issue. Alternatively, carefully select a patch from the following pull request: https://github.com/apache/inlong/pull/11732.

Name of the Vulnerable Software and Affected Versions: Apache HertzBeat (incubating) versions prior to 1.6.1 Description: This issue is related to an improper neutralization of special elements used in a command, also known as a 'Command Injection' vulnerability. The vulnerability can only be exploited by authorized attackers. Recommendations: For Apache HertzBeat (incubating) versions prior to 1.6.1, upgrade to version 1.6.1 to resolve the issue. As a temporary workaround, consider restricting access to sensitive commands or functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 **Description** The issue is related to a vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware, specifically in the Core component. This vulnerability allows an unauthenticated attacker with network access via T3, IIOP to compromise the Oracle WebLogic Server. Successful attacks can result in the takeover of the Oracle WebLogic Server. It is estimated that over 18,000 services are potentially affected. The vulnerability can be exploited by sending specially crafted network packets, allowing an attacker to gain full access to the vulnerable software. **Recommendations** For Oracle WebLogic Server version 12.2.1.4.0, update to a newer version to mitigate the risk. For Oracle WebLogic Server version 14.1.1.0.0, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the T3 and IIOP protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache HertzBeat (incubating) versions prior to 1.6.0 **Description** The software is susceptible to a remote code execution issue stemming from a malicious XML deserialization flaw within the SnakeYaml component. This issue can only be exploited by authorized attackers. **Recommendations** Upgrade to version 1.6.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server version 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** A flaw in the Core component of Oracle WebLogic Server, part of Oracle Fusion Middleware, is caused by insufficient input validation and a post-deserialization issue. This allows an unauthenticated remote attacker with network access to compromise the server via T3 or IIOP protocols. Successful exploitation can lead to unauthorized access to critical data, complete access to all accessible server data, or remote code execution. There is evidence of active exploitation in the wild, with threat actors targeting internet-exposed servers to deploy ransomware, steal data, or install crypto-miners. **Recommendations** Apply the July 2024 Critical Patch Update for version 12.2.1.4.0. Apply the July 2024 Critical Patch Update for version 14.1.1.0.0. As a temporary mitigation, block external access to T3 and IIOP protocols (default port 7001) and restrict exposure to trusted networks only.