A essential safety flaw has been disclosed within the Apache Avro Java Software program Improvement Package (SDK) that, if efficiently exploited, might enable the execution of arbitrary code on vulnerable situations.
The flaw, tracked as CVE-2024-47561, impacts all variations of the software program previous to 1.11.4.
“Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code,” the undertaking maintainers stated in an advisory launched final week. “Customers are really useful to improve to model 1.11.4 or 1.12.0, which repair this situation.”
Apache Avro, analogous to Google’s Protocol Buffers (protobuf), is an open-source undertaking that gives a language-neutral information serialization framework for large-scale information processing.
The Avro group notes that the vulnerability impacts any utility if it permits customers to offer their very own Avro schemas for parsing. Kostya Kortchinsky from the Databricks safety group has been credited with discovering and reporting the safety shortcoming.
As mitigations, it is really useful to sanitize schemas earlier than parsing them and keep away from parsing user-provided schemas.
“CVE-2024-47561 affects Apache Avro 1.11.3 and previous versions while de-serializing input received via avroAvro schema,” Mayuresh Dani, Supervisor, supervisor of risk analysis at Qualys, stated in an announcement shared with The Hacker Information.
“Processing such input from a threat actor leads to execution of code. Based on our threat intelligence reporting, no PoC is publicly available, but this vulnerability exists while processing packages via ReflectData and SpecificData directives and can also be exploited via Kafka.”
“Since Apache Avro is an open-source project, it is used by many organizations. Based on publicly available data, a majority of these organizations are located in the U.S. This definitely has a lot of security implications if left unpatched, unsupervised and unprotected.”