A critical security flaw has been discovered in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow arbitrary code execution on sensitive instances.
Drawback tracked as CVE-2024-47561affects all software versions prior to 1.11.4.
“Schema analysis in Apache Avro’s Java SDK 1.11.3 and earlier allows malicious actors to execute arbitrary code,” project staff said in an advisory issued last week. “Users are advised to switch to version 1.11.4 or 1.12.0 that fix this issue.”
Apache Avro, similar to Google Protocol Buffers (protobuff), is an open source project that provides a neutral language data serialization structure for large-scale data processing.
The Avro team notes that the vulnerability affects any application that allows users to provide their own Avro schemas for parsing. Kostya Kortchinsky of the Databricks security team is credited with discovering and reporting the security flaw.
As a mitigation measure, it is recommended that you sanitize schematics before parsing them and avoid parsing user-suggested schematics.
“CVE-2024-47561 affects Apache Avro 1.11.3 and earlier when deserializing input received via the avroAvro scheme,” said Mayuresh Dani, threat research manager at Qualys, in a statement shared with The Hacker News.
“Processing such input from a threat actor results in code execution. According to our threat reports, PoC is not publicly available, but this vulnerability exists when processing packets via ReflectData and SpecificData directives and can also be used through Kafka.’
“Because Apache Avro is an open source project, it is used by many organizations. According to publicly available data, most of these organizations are located in the United States. This certainly has many security implications if not fixed, monitored and protected. “
