CVE-2024-45772: 
Java vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2024-45772) was discovered in Apache Lucene Replicator, affecting versions from 4.4.0 to 9.12.0. The vulnerability specifically impacts the deprecated org.apache.lucene.replicator.http package, while the org.apache.lucene.replicator.nrt package remains unaffected. The vulnerability was discovered by Summ3r from Vidar-Team and coordinated by Paul Irwin from Apache Lucene.NET (OSS Security).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The CVSS v3.1 scores vary between sources, with NVD assigning a base score of 8.0 (HIGH) with vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Apache Software Foundation rates it at 5.1 (MEDIUM) with vector CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L. The deserialization vulnerability can only be triggered when users actively deploy a network-accessible implementation and a corresponding client using an HTTP library that uses the API, such as a custom servlet and HTTPClient (NVD).

The vulnerability could potentially lead to unauthorized data access, system compromise, and service disruption when exploited in systems using the affected org.apache.lucene.replicator.http package (NVD).

Users are recommended to upgrade to Apache Lucene version 9.12.0, which contains the fix for this vulnerability. For those unable to upgrade immediately, Java serialization filters can be implemented as a temporary mitigation measure by using the command line parameter -Djdk.serialFilter='!*', which will not impact functionality on vulnerable versions (NVD).