A vital safety flaw has been disclosed within the Apache Avro Java Software program Improvement Package (SDK) that, if efficiently exploited, might permit the execution of arbitrary code on inclined cases.
The flaw, tracked as CVE-2024-47561, impacts all variations of the software program previous to 1.11.4.
“Schema parsing within the Java SDK of Apache Avro 1.11.3 and former variations permits dangerous actors to execute arbitrary code,” the undertaking maintainers stated in an advisory launched final week. “Customers are beneficial to improve to model 1.11.4 or 1.12.0, which repair this challenge.”
Apache Avro, analogous to Google’s Protocol Buffers (protobuf), is an open-source undertaking that gives a language-neutral information serialization framework for large-scale information processing.
The Avro workforce notes that the vulnerability impacts any utility if it permits customers to supply their very own Avro schemas for parsing. Kostya Kortchinsky from the Databricks safety workforce has been credited with discovering and reporting the safety shortcoming.
As mitigations, it is beneficial to sanitize schemas earlier than parsing them and keep away from parsing user-provided schemas.
“CVE-2024-47561 impacts Apache Avro 1.11.3 and former variations whereas de-serializing enter obtained by way of avroAvro schema,” Mayuresh Dani, Supervisor, supervisor of menace analysis at Qualys, stated in a press release shared with The Hacker Information.
“Processing such enter from a menace actor results in execution of code. Based mostly on our menace intelligence reporting, no PoC is publicly accessible, however this vulnerability exists whereas processing packages by way of ReflectData and SpecificData directives and can be exploited by way of Kafka.”
“Since Apache Avro is an open-source undertaking, it’s utilized by many organizations. Based mostly on publicly accessible information, a majority of those organizations are situated within the US. This undoubtedly has quite a lot of safety implications if left unpatched, unsupervised and unprotected.”