A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.
The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4.
“Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code,” the project maintainers said in an advisory released last week. “Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Apache Avro, analogous to Google’s Protocol Buffers (protobuf), is an open-source project that provides a language-neutral data serialization framework for large-scale data processing.
The Avro team notes that the vulnerability affects any application if it allows users to provide their own Avro schemas for parsing. Kostya Kortchinsky from the Databricks security team has been credited with discovering and reporting the security shortcoming.
As mitigations, it’s recommended to sanitize schemas before parsing them and avoid parsing user-provided schemas.
“CVE-2024-47561 affects Apache Avro 1.11.3 and previous versions while de-serializing input received via avroAvro schema,” Mayuresh Dani, Manager, manager of threat research at Qualys, said in a statement shared with The Hacker News.
“Processing such input from a threat actor leads to execution of code. Based on our threat intelligence reporting, no PoC is publicly available, but this vulnerability exists while processing packages via ReflectData and SpecificData directives and can also be exploited via Kafka.”
“Since Apache Avro is an open-source project, it is used by many organizations. Based on publicly available data, a majority of these organizations are located in the US. This definitely has a lot of security implications if left unpatched, unsupervised and unprotected.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
THN Cybersecurity Recap: Top Threats and Trends (Sep 30 – Oct 6)