October 7, 2024 at 05:57AM
A critical security flaw (CVE-2024-47561) in Apache Avro Java SDK prior to 1.11.4 allows execution of arbitrary code, impacting large-scale data processing. Users are advised to upgrade to version 1.11.4 or 1.12.0. Vulnerability exists in deserializing input via Avro schema, affecting organizations mainly in the US. Mitigations include sanitizing schemas and avoiding user-provided schemas.
From the meeting notes on Oct 07, 2024, the key takeaways are:
1. A critical security flaw, indexed as CVE-2024-47561, has been uncovered in the Apache Avro Java Software Development Kit prior to version 1.11.4. This flaw could potentially enable arbitrary code execution if successfully exploited.
2. Users are advised to upgrade to version 1.11.4 or 1.12.0 in order to address this vulnerability.
3. Mitigations include carefully scrutinizing and cleaning schemas before parsing, and avoiding parsing user-provided schemas.
4. The vulnerability affects any application allowing user-provided Avro schemas for parsing and may lead to the execution of malicious code.
5. The flaw was discovered and reported by Kostya Kortchinsky from the Databricks security team, and it could be exploited via Kafka.
6. The potential impact of the security flaw is significant, especially for organizations in the US due to widespread use of Apache Avro.
Please let me know if you need any further assistance or information.