Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
The CVE-2024-47561 vulnerability allows thousands of systems to be compromised.
A critical vulnerability has been identified in the Apache Avro Java SDK that allows attackers to execute arbitrary code on vulnerable instances. The security bug, registered as CVE-2024-47561, affects all software versions up to and including 1.11.4.
The official notice of the project developers says: "Schema Parsing in the Java SDK Apache Avro version 1.11.3 and earlier allows attackers to execute arbitrary code". It is recommended to update to version 1.11.4 or 1.12.0, where this issue is fixed.
Apache Avro is a data serialization framework similar to Google's Protobuf that is widely used to process large amounts of data. The vulnerability affects applications that allow third-party downloads and parses of Avro schemas.
This issue was discovered by Databricks security specialist Kostya Korchinsky. As a security measure, it is recommended to carefully check diagrams before disassembling them and avoid using custom diagrams.
Maiures Dani, Threat Research Manager at Qualys, noted that "the CVE-2024-47561 vulnerability affects Apache Avro version 1.11.3 and earlier when deserializing input data through the Avro schema". The specialist also pointed out that at the time of publication of the news, there is no proof of concept (PoC) exploit in the public domain, but there is a possibility of exploiting the vulnerability through the ReflectData and SpecificData directives, as well as through Kafka.
Because Apache Avro is an open source project, it is actively used by many organizations. Most of them are based in the United States, which increases security risks if the vulnerability is not fixed in time.
Source
A critical vulnerability has been identified in the Apache Avro Java SDK that allows attackers to execute arbitrary code on vulnerable instances. The security bug, registered as CVE-2024-47561, affects all software versions up to and including 1.11.4.
The official notice of the project developers says: "Schema Parsing in the Java SDK Apache Avro version 1.11.3 and earlier allows attackers to execute arbitrary code". It is recommended to update to version 1.11.4 or 1.12.0, where this issue is fixed.
Apache Avro is a data serialization framework similar to Google's Protobuf that is widely used to process large amounts of data. The vulnerability affects applications that allow third-party downloads and parses of Avro schemas.
This issue was discovered by Databricks security specialist Kostya Korchinsky. As a security measure, it is recommended to carefully check diagrams before disassembling them and avoid using custom diagrams.
Maiures Dani, Threat Research Manager at Qualys, noted that "the CVE-2024-47561 vulnerability affects Apache Avro version 1.11.3 and earlier when deserializing input data through the Avro schema". The specialist also pointed out that at the time of publication of the news, there is no proof of concept (PoC) exploit in the public domain, but there is a possibility of exploiting the vulnerability through the ReflectData and SpecificData directives, as well as through Kafka.
Because Apache Avro is an open source project, it is actively used by many organizations. Most of them are based in the United States, which increases security risks if the vulnerability is not fixed in time.
Source
