Deep Java Library Critical Vulnerability - 20240619003

Overview

A critical vulnerability has been discovered in the Deep Java Library (DJL), a widely-used open-source framework for deep learning projects. The flaw allows attackers to overwrite critical system files, potentially granting them full control over affected systems.

What is vulnerable?

Product(s) Affected	CVE	Severity	CVSS
DJL: all versions below 0.28.0	CVE-2024-37902	10.0	Critical

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

• Github DJL Release: https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0
• Github DJL Advisory: https://github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj

Additional references

• Upwind article: https://www.upwind.io/feed/deep-dive-cve-2024-37902-and-potential-impact-on-deepjavalibrary-users