I have requested more details about CVE-2024-47561 directly from the Apache Avro project in this email to the us...@avro.apache.org mailing list: https://lists.apache.org/thread/hrlxrn229vj7fkryx12npz8ws64026qo
Questions asked: 1. Is the RCE issue (Arbitrary Code Execution when reading Avro Data) reported in CVE-2024-47561 known to be exploitable in the default configuration of Apache Avro Java SDK? 2. Given that upgrading and patching all systems with Avro 1.11.4/1.12.0 will take some time, are there known workarounds or mitigations? -Lari On 2024/10/03 20:58:43 Lari Hotari wrote: > Dear Pulsar Community, > > There's a critical 9.3/10 level RCE vulnerability in Avro Java SDK > <1.11.4, CVE-2024-47561. > More details can be found in these resources: > - https://github.com/advisories/GHSA-r7pg-v2c8-mfg3 > - https://nvd.nist.gov/vuln/detail/CVE-2024-47561 > - https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x > > In Pulsar, there's a PR under review to upgrade Avro to 1.11.4: > https://github.com/apache/pulsar/pull/23394 > > I suggest that we start preparations for expedited Pulsar 3.0.7 and > 3.3.2 releases due to this critical vulnerability. I can volunteer to > handle these releases as a release manager. > > Further coordination of these releases and discussions about possible > mitigations will be on the dev@pulsar.apache.org mailing list. I have > also sent this message to the us...@pulsar.apache.org list. Mailing > list archives and joining instructions for the dev mailing list can be > found at https://pulsar.apache.org/contact/. > > -Lari >
