Hi, On Fri, Oct 4, 2024 at 9:52 AM Lari Hotari <[email protected]> wrote:
> I'm currently working on an impact analysis for Apache Pulsar and Apache > BookKeeper users regarding CVE-2024-47561. > > I have a few questions: > > 1. Is the RCE issue (Arbitrary Code Execution when reading Avro Data) > reported in CVE-2024-47561 known to be exploitable in the default > configuration of Apache Avro Java SDK? > Yes! An application is vulnerable if it allows its users to provide their own Avro schemas for parsing. > > 2. Given that upgrading and patching all systems with Avro 1.11.4/1.12.0 > will take some time, are there known workarounds or mitigations? > Upgrading to 1.11.4 should be really easy! 1.12.0 has more changes, so something else may affect/break your application. Mitigations: 1) Do not parse user-provided schemas 2) Sanitize the schema before parsing it. For more information ask us privately. > > This information would be very helpful to all Avro users. > I am sure it will be! But it will be useful for all bad actors too ... > Regards, > > Lari Hotari > Apache Pulsar PMC > > On 2024/10/03 10:14:59 Martin Tzvetanov Grigorov wrote: > > Severity: critical > > > > Affected versions: > > > > - Apache Avro Java SDK before 1.11.4 > > > > Description: > > > > Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous > versions allows bad actors to execute arbitrary code. > > Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix > this issue. > > > > Credit: > > > > Kostya Kortchinsky, from the Databricks Security Team (finder) > > > > References: > > > > https://avro.apache.org/ > > https://www.cve.org/CVERecord?id=CVE-2024-47561 > > > > >
