[jira] [Updated] (PARQUET-2094) Handle negative values in page headers

[Gabor Szadovszky (Jira)]

 [ 
https://issues.apache.org/jira/browse/PARQUET-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gabor Szadovszky updated PARQUET-2094:
--
 External issue ID: CVE-2021-41561
External issue URL: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41561

> Handle negative values in page headers
> --
>
> Key: PARQUET-2094
> URL: https://issues.apache.org/jira/browse/PARQUET-2094
> Project: Parquet
>  Issue Type: Bug
>Reporter: Gabor Szadovszky
>Assignee: Gabor Szadovszky
>Priority: Major
> Fix For: 1.11.2, 1.12.2
>
>
> There are integer values in the page headers that should be always positive 
> (e.g. length). I am not sure if we properly handle the cases if they are not 
> positive.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

CVE-2021-41561: Apache Parquet-MR potential DoS in case of malicious Parquet file

[Gábor Szádovszky]

Description:

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows 
an attacker to DoS by malicious Parquet files. This issue affects Apache 
Parquet-MR version 1.9.0 and later versions.

This issue is being tracked as PARQUET-2094

Mitigation:

1.12.x users should upgrade to 1.12.2
1.11.x users should upgrade to 1.11.2
Users of older release lines (<= 1.10.x) should upgrade to 1.12.2 or 1.11.2

Credit:

This issue was discovered by Sergey Temnikov of the Amazon S3 team.