A vital safety flaw has been disclosed within the Apache Avro Java Software program Growth Equipment (SDK) that, if efficiently exploited, might permit the execution of arbitrary code on vulnerable cases.
The flaw, tracked as CVE-2024-47561, impacts all variations of the software program previous to 1.11.4.
“Schema parsing within the Java SDK of Apache Avro 1.11.3 and former variations permits dangerous actors to execute arbitrary code,” the challenge maintainers stated in an advisory launched final week. “Customers are really useful to improve to model 1.11.4 or 1.12.0, which repair this concern.”
Apache Avro, analogous to Google’s Protocol Buffers (protobuf), is an open-source challenge that gives a language-neutral information serialization framework for large-scale information processing.
The Avro staff notes that the vulnerability impacts any software if it permits customers to offer their very own Avro schemas for parsing. Kostya Kortchinsky from the Databricks safety staff has been credited with discovering and reporting the safety shortcoming.
As mitigations, it is really useful to sanitize schemas earlier than parsing them and keep away from parsing user-provided schemas.
“CVE-2024-47561 impacts Apache Avro 1.11.3 and former variations whereas de-serializing enter obtained by way of avroAvro schema,” Mayuresh Dani, Supervisor, supervisor of risk analysis at Qualys, stated in an announcement shared with The Hacker Information.
“Processing such enter from a risk actor results in execution of code. Based mostly on our risk intelligence reporting, no PoC is publicly accessible, however this vulnerability exists whereas processing packages by way of ReflectData and SpecificData directives and can be exploited by way of Kafka.”
“Since Apache Avro is an open-source challenge, it’s utilized by many organizations. Based mostly on publicly accessible information, a majority of those organizations are positioned within the US. This positively has quite a lot of safety implications if left unpatched, unsupervised and unprotected.”