Apache Avro SDK reports arbitrary code execution flaw
Take action: If your infrastructure uses Apache Avro (check your Apache Kafka), consider this flaw for possible patching/updating. The exploit use case requires permissions for users to send their own schema and custom code, so it may not be applicable to all systems. But better to review it and consider risks.
Learn More
A security vulnerability has been identified in the Apache Avro Java Software Development Kit (SDK) that allows potential execution of arbitrary code on vulnerable instances.
The flaw is tracked as CVE-2024-47561 (CVSS score 7.3) and stems from schema parsing in the affected versions. If an application allows users to provide their own Avro schemas, an attacker could exploit this to inject and execute malicious code during the schema parsing process.
Affected Versions are Apache Avro Java SDK versions 1.11.3 and earlier
Users are advised to upgrade to version 1.11.4 or 1.12.0, which includes the necessary patches to address this vulnerability
For those unable to upgrade immediately, it is recommended to sanitize Avro schemas before parsing them and to avoid parsing user-provided schemas whenever possible to mitigate the risk.
The vulnerability is particularly concerning for applications that use Apache Avro in big data, streaming, or distributed systems environments, given its role as a data serialization framework similar to Google’s Protocol Buffers (protobuf)
The vulnerability could affect various big data ecosystems, especially those using Kafka for message streaming, where Avro is often employed for data serialization
Although there is no known public proof-of-concept (PoC) available at this time, the potential for widespread impact makes it important for organizations using Apache Avro to apply the update promptly.
