CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Key Information from the Webpage Screenshot: 1. Severity: Critical 2. Affected Versions: - Apache Avro Java SDK before 1.11.4 3. Description: - Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. - Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. 4. Credit: - Kostya Kortchinsky, from the Databricks Security Team (finder) 5. References: - https://avro.apache.org/ - https://www.cve.org/CVERecord?id=CVE-2024-47561 Additional Questions and Responses: 1. Question by Lari Hotari: - Is the RCE issue (Arbitrary Code Execution when reading Avro Data) reported in CVE-2024-47561 known to be exploitable in the default configuration of Apache Avro Java SDK? - Given that upgrading and patching all systems with Avro 1.11.4/1.12.0 will take some time, are there known workarounds or mitigations? 2. Response by Martin Grigorov: - An application is vulnerable if it allows its users to provide their own Avro schemas for parsing. - Upgrading to 1.11.4 should be really easy! - 1.12.0 has more changes, so something else may affect/break your application. - Mitigations: 1. Do not parse user-provided schemas 2. Sanitize the schema before parsing it. For more information ask us privately. - I am sure it will be! But it will be useful for all bad actors too ... --- This information is crucial for understanding the severity and impact of the vulnerability, as well as the recommended actions to mitigate the risk.