CVE-2024-8447: 
Java vulnerability analysis and mitigation

A security issue was discovered in the LRA Coordinator component of Narayana, identified as CVE-2024-8447. The vulnerability was disclosed on January 2, 2025, affecting the LRA (Long Running Action) functionality. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs, during which if Join is called with the same LRA ID, the application may crash or hang indefinitely (NVD, Red Hat).

The vulnerability is classified as CWE-833 (Deadlock) and has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue stems from a synchronization problem in the LRA Coordinator component where concurrent operations on the same LRA ID within a specific timeframe can lead to deadlock conditions (NVD).

The primary impact of this vulnerability is a potential denial of service condition. When exploited, the application may either crash or enter an indefinite hang state, making the service unavailable to users (NVD).

A fix has been implemented by replacing synchronized methods with Reentrant Locks in the LRAService joinLRA method, as evidenced by the patch submitted to the Narayana project (GitHub PR).