Essential Apache Avro SDK Flaw Permits Distant Code Execution in Java Functions

Oct 07, 2024Ravie LakshmananOpen Supply / Software program Safety

A essential safety flaw has been disclosed within the Apache Avro Java Software program Improvement Package (SDK) that, if efficiently exploited, might enable the execution of arbitrary code on vulnerable situations.

The flaw, tracked as CVE-2024-47561, impacts all variations of the software program previous to 1.11.4.

“Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code,” the undertaking maintainers stated in an advisory launched final week. “Customers are really useful to improve to model 1.11.4 or 1.12.0, which repair this situation.”

Apache Avro, analogous to Google’s Protocol Buffers (protobuf), is an open-source undertaking that gives a language-neutral information serialization framework for large-scale information processing.

The Avro group notes that the vulnerability impacts any utility if it permits customers to offer their very own Avro schemas for parsing. Kostya Kortchinsky from the Databricks safety group has been credited with discovering and reporting the safety shortcoming.

Cybersecurity

As mitigations, it is really useful to sanitize schemas earlier than parsing them and keep away from parsing user-provided schemas.

“CVE-2024-47561 affects Apache Avro 1.11.3 and previous versions while de-serializing input received via avroAvro schema,” Mayuresh Dani, Supervisor, supervisor of risk analysis at Qualys, stated in an announcement shared with The Hacker Information.

“Processing such input from a threat actor leads to execution of code. Based on our threat intelligence reporting, no PoC is publicly available, but this vulnerability exists while processing packages via ReflectData and SpecificData directives and can also be exploited via Kafka.”

“Since Apache Avro is an open-source project, it is used by many organizations. Based on publicly available data, a majority of these organizations are located in the U.S. This definitely has a lot of security implications if left unpatched, unsupervised and unprotected.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Recent articles

9 Worthwhile Product Launch Templates for Busy Leaders

Launching a product doesn’t should really feel like blindly...

How Runtime Insights Assist with Container Safety

Containers are a key constructing block for cloud workloads,...

Microsoft Energy Pages Misconfigurations Leak Tens of millions of Information Globally

SaaS Safety agency AppOmni has recognized misconfigurations in Microsoft...