A vital safety flaw has been disclosed within the Apache Avro Java Tool Building Equipment (SDK) that, if effectively exploited, may permit the execution of arbitrary code on inclined cases.
The flaw, tracked as CVE-2024-47561, affects all variations of the device prior to one.11.4.
“Schema parsing within the Java SDK of Apache Avro 1.11.3 and former variations lets in unhealthy actors to execute arbitrary code,” the mission maintainers stated in an advisory launched remaining week. “Customers are really helpful to improve to model 1.11.4 or 1.12.0, which repair this factor.”
Apache Avro, analogous to Google’s Protocol Buffers (protobuf), is an open-source mission that gives a language-neutral knowledge serialization framework for large-scale knowledge processing.
The Avro staff notes that the vulnerability impacts any utility if it lets in customers to offer their very own Avro schemas for parsing. Kostya Kortchinsky from the Databricks safety staff has been credited with finding and reporting the safety shortcoming.
As mitigations, it is really helpful to sanitize schemas prior to parsing them and keep away from parsing user-provided schemas.
“CVE-2024-47561 impacts Apache Avro 1.11.3 and former variations whilst de-serializing enter won by way of avroAvro schema,” Mayuresh Dani, Supervisor, supervisor of danger analysis at Qualys, stated in a observation shared with The Hacker Information.
“Processing such enter from a danger actor ends up in execution of code. In response to our danger intelligence reporting, no PoC is publicly to be had, however this vulnerability exists whilst processing programs by way of ReflectData and SpecificData directives and can be exploited by way of Kafka.”
“Since Apache Avro is an open-source mission, it’s utilized by many organizations. In response to publicly to be had knowledge, these kind of organizations are situated within the U.S. This certainly has numerous safety implications if left unpatched, unsupervised and unprotected.”