I'm currently working on an impact analysis for Apache Pulsar and Apache BookKeeper users regarding CVE-2024-47561.
I have a few questions: 1. Is the RCE issue (Arbitrary Code Execution when reading Avro Data) reported in CVE-2024-47561 known to be exploitable in the default configuration of Apache Avro Java SDK? 2. Given that upgrading and patching all systems with Avro 1.11.4/1.12.0 will take some time, are there known workarounds or mitigations? This information would be very helpful to all Avro users. Regards, Lari Hotari Apache Pulsar PMC On 2024/10/03 10:14:59 Martin Tzvetanov Grigorov wrote: > Severity: critical > > Affected versions: > > - Apache Avro Java SDK before 1.11.4 > > Description: > > Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions > allows bad actors to execute arbitrary code. > Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this > issue. > > Credit: > > Kostya Kortchinsky, from the Databricks Security Team (finder) > > References: > > https://avro.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2024-47561 > >
