Hello Apache Ignite Team, And a special hello to zhattatey — we noticed your name in the credit of the CVE record, and we appreciate your responsible disclosure of this issue.
We are currently assessing the impact of CVE-2024-52577 on our Apache Ignite 2.16.0 deployment and planning our remediation approach. The official advisory states that the vulnerability affects "some Ignite endpoints" where configured Class Serialization Filters are ignored. However, the advisory does not enumerate which specific endpoints are within scope. We would greatly appreciate an official clarification on the following: 1. Could you provide a complete list of the Ignite endpoints confirmed to be affected by this vulnerability? 2. For example, we would like to understand whether endpoints beyond the Thin Client interface (port 10800) are included — such as the Discovery SPI endpoint or any other internal communication endpoints. 3. As a temporary measure prior to upgrading to 2.17.0, we have enabled authentication on the Thin Client interface. Would this be considered sufficient mitigation, or are there other affected endpoints that require additional controls? A clear and complete list of affected endpoints would help us accurately assess our exposure and prioritize our remediation efforts. Thank you both for your time. We look forward to your response. Best regards
