• Posted by: Michael Johnson
• October 07, 2024

Critical Security Flaw in Apache Avro Java SDK Allows Code Execution

A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that could enable malicious actors to execute arbitrary code on vulnerable systems. The flaw, identified as CVE-2024-47561, affects all versions of the software prior to 1.11.4.

According to an advisory from the Apache Avro team, "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code." Users are strongly encouraged to upgrade to versions 1.11.4 or 1.12.0 to address this issue.

Apache Avro, often compared to Google's Protocol Buffers (protobuf), is an open-source, language-neutral data serialization framework widely used in large-scale data processing environments. The vulnerability specifically impacts applications that allow user-provided Avro schemas for parsing, increasing the risk of exploitation.

Security researcher Kostya Kortchinsky from the Databricks security team has been credited with discovering and reporting the flaw.

As part of mitigation strategies, users are advised to sanitize schemas before parsing them and avoid handling user-provided schemas altogether when possible.

CVE-2024-47561 affects versions of Apache Avro 1.11.3 and earlier, particularly during the de-serialization of input received via Avro schema, said Mayuresh Dani, Manager of Threat Research at Qualys. In a statement to The Hacker News, Dani noted that although no proof-of-concept (PoC) for the exploit is publicly available, the vulnerability can be exploited when processing packages via ReflectData and SpecificData directives. It may also be exploited through integration with Kafka.

Given Apache Avro's widespread use by organizations—many of which are based in the U.S.—this security flaw could have serious implications if left unpatched, unsupervised, or unprotected. Organizations relying on Apache Avro are urged to upgrade to the recommended versions and implement proper security practices to mitigate potential risks.