Cyber Security News

Critical Apache Avro SDK RCE flaw impacts Java applications

Cyware

Summary: A critical vulnerability (CVE-2024-47561) in the Apache Avro Java SDK allows for arbitrary code execution on affected instances, impacting all versions prior to 1.11.4. Users are advised to upgrade to version 1.11.4 or 1.12.0 to mitigate the risk.

Threat Actor: Bad actors | bad actors
Victim: Apache Avro users | Apache Avro users

Key Point :

  • The vulnerability allows execution of arbitrary code through schema parsing in versions 1.11.3 and earlier.
  • Security researchers recommend upgrading to versions 1.11.4 or 1.12.0 to address the flaw.
  • Mitigations include avoiding parsing user-provided schemas and sanitizing schemas before parsing.

A critical vulnerability, tracked as CVE-2024-47561, in the Apache Avro Java Software Development Kit (SDK) could allow the execution of arbitrary code on vulnerable instances.

The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4.

The Avro Java Software Development Kit (SDK) is a toolkit for working with Apache Avro in Java applications. Apache Avro is a data serialization framework developed as part of the Apache Hadoop project. It provides a compact, fast, and efficient way to serialize structured data, which makes it particularly useful for applications involving big data, streaming, or distributed systems.

“Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.” reads the advisory.

The vulnerability impacts any application that allows users to provide their own Avro schemas for parsing.

Security researcher Kostya Kortchinsky from Databricks security reported the vulnerability to the Avro team.

The experts provide the following mitigations for users who are unable to apply the security updates:

  • Do not parse user-provided schemas.
  • Sanitize the schema before parsing it. For more information ask us privately.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Avro Java Software Development Kit (SDK))

Source: https://securityaffairs.com/169469/security/apache-avro-java-sdk-critical-flaw.html

Tags: VULNERABILITY, CVE