CVE-2024-43383: Apache Lucene.NET RCE Vulnerability

CVE-2024-43383 Overview

CVE-2024-43383 is a deserialization of untrusted data vulnerability [CWE-502] affecting the Apache Lucene.NET Replicator library. The flaw exists in versions 4.8.0-beta00005 through 4.8.0-beta00016. An attacker who can intercept replication traffic or control the target replication node URL can deliver a crafted JSON response that gets deserialized as an attacker-chosen exception type. Successful exploitation leads to remote code execution or unauthorized access on the replication client. The Apache project has published 4.8.0-beta00017 as the fixed release.

Critical Impact

Remote attackers positioned on the network path between replication clients and servers can achieve remote code execution by returning a malicious JSON payload.

Affected Products

• Apache Lucene.NET Replicator 4.8.0-beta00005 through 4.8.0-beta00016
• .NET applications consuming the Lucene.Net.Replicator package for index replication
• Search and indexing services built on vulnerable Lucene.NET versions

Discovery Timeline

• 2024-10-31 - CVE-2024-43383 published to NVD
• 2025-02-11 - Last updated in NVD database

Technical Details for CVE-2024-43383

Vulnerability Analysis

The Lucene.Net.Replicator library coordinates index replication between a primary node and one or more replica clients over HTTP. When the client receives an error response from the server, it deserializes the JSON body to reconstruct an exception object on the client side. The deserialization path honors a type identifier supplied in the JSON, allowing the client to instantiate arbitrary types referenced by the attacker.

An attacker who controls the response, either through traffic interception or by directing the client to a malicious replication URL, can supply a gadget type whose construction or property setters trigger code execution. The Common Weakness Enumeration classifies this defect as CWE-502: Deserialization of Untrusted Data. The vulnerability carries an EPSS probability of 4.731% at the 89th percentile, reflecting elevated exploitation interest.

Root Cause

The root cause is unsafe polymorphic deserialization of attacker-controlled JSON. The replicator accepts a runtime type hint from the wire payload and resolves it to a .NET type without restricting the allowed set of exception classes. Any type loadable in the application domain can be instantiated through the deserializer, breaking the trust boundary between the replication server and client.

Attack Vector

Exploitation requires a network position between the replication client and server, or the ability to influence the replication node URL configured by the victim. The attacker returns a specially crafted JSON response in place of a legitimate replication reply. The client parses the response, instantiates the attacker-selected type, and invokes constructors or setters that execute attacker logic. No authentication or user interaction is required against the client. Refer to the Apache Mailing List Thread and the OpenWall OSS Security Update for additional technical detail.

Detection Methods for CVE-2024-43383

Indicators of Compromise

• Unexpected outbound or inbound HTTP traffic to replication endpoints from hosts running Lucene.NET applications
• Replication client processes spawning child processes such as cmd.exe, powershell.exe, or /bin/sh
• JSON responses on replicator endpoints containing type identifiers referencing classes outside the standard System.Exception hierarchy
• Anomalous module or assembly loads in .NET processes that host the Lucene.Net.Replicator library

Detection Strategies

• Inventory all .NET applications for the Lucene.Net.Replicator dependency and flag versions 4.8.0-beta00005 through 4.8.0-beta00016
• Inspect HTTP responses to replication clients for JSON payloads containing $type-style discriminators or non-standard exception type names
• Apply behavioral identification to detect unusual process lineage from .NET host processes consuming replication APIs

Monitoring Recommendations

• Log and review TLS configuration for all replication traffic to prevent interception attacks
• Alert on changes to replication node URLs in application configuration files or environment variables
• Collect process creation, network, and module load telemetry from systems running Lucene.NET to enable retrospective hunting

How to Mitigate CVE-2024-43383

Immediate Actions Required

• Upgrade Lucene.Net.Replicator to version 4.8.0-beta00017 or later across all affected applications
• Enforce HTTPS with certificate validation for all replication client and server communication
• Restrict replication node URLs to a hardcoded allowlist and remove user-configurable replication endpoints where feasible
• Audit configuration management systems for any unauthorized modification of replication URLs

Patch Information

The Apache Lucene.NET project released version 4.8.0-beta00017, which fixes the unsafe deserialization in the Replicator library. Update package references in .csproj files or NuGet package manifests and redeploy affected applications. Refer to the Apache Mailing List Thread for the official advisory.

Workarounds

• Place replication traffic on an isolated network segment accessible only to trusted replication peers
• Terminate replication client connections only through mutually authenticated TLS to prevent traffic interception
• Disable the replication feature in deployments where it is not required until the upgrade can be applied