Pierluigi Paganini October 07, 2024

A critical vulnerability in the Apache Avro Java Software Development Kit (SDK) could be exploited to execute arbitrary code on vulnerable instances.

A critical vulnerability, tracked as CVE-2024-47561, in the Apache Avro Java Software Development Kit (SDK) could allow the execution of arbitrary code on vulnerable instances.

The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4.

The Avro Java Software Development Kit (SDK) is a toolkit for working with Apache Avro in Java applications. Apache Avro is a data serialization framework developed as part of the Apache Hadoop project. It provides a compact, fast, and efficient way to serialize structured data, which makes it particularly useful for applications involving big data, streaming, or distributed systems.

“Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.” reads the advisory.

The vulnerability impacts any application that allows users to provide their own Avro schemas for parsing.

Security researcher Kostya Kortchinsky from Databricks security reported the vulnerability to the Avro team.

The experts provide the following mitigations for users who are unable to apply the security updates:

• Do not parse user-provided schemas.
• Sanitize the schema before parsing it. For more information ask us privately.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Avro Java Software Development Kit (SDK))