The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library. Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods: /** * Accept class names where the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * * @param classNameMatcher the matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** * Accept class names that match the supplied pattern for * deserialization, unless they are otherwise rejected. * * @param pattern standard Java regexp */ public void accept(Pattern pattern) /** * Accept the wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard file name patterns as defined by * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch} */ public void accept(String... patterns) By default, the decoder will reject *all* classes that will be present in the incoming data. Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.

Carrying a maximum severity CVSS score, this deserialization vulnerability is being monitored by Tenable Research for signs of exploit activity

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The ObjectSerializationDecoder in Apache MINA uses Java's native deserialization protocol to process     incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows     attackers to exploit the deserialization process by sending specially crafted malicious serialized data,     potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X,     2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important to note     that an application using MINA core library will only be affected if the IoBuffer#getObject() method is     called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using     the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using     those classes, you have to upgrade to the latest version of MINA core library. Upgrading will not be     enough: you also need to explicitly allow the classes the decoder will accept in the     ObjectSerializationDecoder instance, using one of the three new methods: /** * Accept class names where     the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * *     @param classNameMatcher the matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** *     Accept class names that match the supplied pattern for * deserialization, unless they are otherwise     rejected. * * @param pattern standard Java regexp */ public void accept(Pattern pattern) /** * Accept the     wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns     Wildcard file name patterns as defined by * {@link     org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch} */ public     void accept(String... patterns) By default, the decoder will reject *all* classes that will be present in     the incoming data. Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.
    (CVE-2024-52046)

Note that Nessus relies on the presence of the package as reported by the vendor.

The 12.2.1.4.0 versions of Access Manager installed on the remote host are affected by a vulnerability as referenced in the April 2025 CPU advisory.

  - Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Proxy     (Apache Mina)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.     Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. (CVE-2024-52046)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 13.5.0.0 versions of Enterprise Manager Base Platform installed on the remote host are affected by a vulnerability as referenced in the April 2025 CPU advisory.

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Agent Next Gen (Apache Mina SSHD)). Supported versions that are affected are 13.5.0.0.0 and     24.1.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can     result in takeover of Oracle Enterprise Manager Base Platform. (CVE-2024-29857)

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Agent Next Gen (json-smart)). Supported versions that are affected are 13.5.0.0.0 and     24.1.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can     result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle     Enterprise Manager Base Platform. (CVE-2023-1370)

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Agent Next Gen (Apache Mina)). Supported versions that are affected are 13.5.0.0.0 and     24.1.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can     result in takeover of Oracle Enterprise Manager Base Platform. (CVE-2024-52046)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Process Management Suite installed on the remote host is affected by multiple vulnerabilities, as referenced in the April 2025 CPU advisory, as follows:

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Composer, Common (Apache Commons Compress)). The supported version that is affected     is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the     infrastructure where Oracle Business Process Management Suite executes to compromise Oracle Business     Process Management Suite. Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang     or frequently repeatable crash (complete DOS) of Oracle Business Process Management Suite. (CVE-2024-25710)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Plugins (Apache FOP)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle Business Process Management Suite accessible     data. (CVE-2024-28168)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component:
    Composer, Third Party (Apache Avro)). The supported version that is affected is 12.2.1.4.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Business Process Management Suite accessible data as     well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data     and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Process     Management Suite. (CVE-2024-47561)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Runtime Engine (Apache Mina)). Supported versions that are affected are 12.2.1.4.0 and     14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability     can result in takeover of Oracle Business Process Management Suite. (CVE-2024-52046)


Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
248097	Linux Distros Unpatched Vulnerability : CVE-2024-52046	Nessus	Misc.	critical
235451	Oracle Access Manager (April 2025 CPU)	Nessus	Misc.	critical
235062	Oracle Enterprise Manager Cloud Control (April 2025 CPU)	Nessus	Misc.	critical
234503	Oracle Business Process Management Suite (April 2025 CPU)	Nessus	Misc.	critical

Detections

Analytics

CVE-2024-52046

critical

Tenable Plugins

critical

critical

critical

critical