Apache project releases patch for a vulnerability tracked as CVE-2024-47561, that impacts all versions of the software prior to 1.11.4.
Apache Avro is a data serialization framework developed as part of the Apache Hadoop project. It provides a compact, fast, and efficient way to serialize structured data, which makes it particularly useful for applications involving big data, streaming, or distributed systems.
As per the advisory, schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
The vulnerability impacts any application that allows users to provide their own Avro schemas for parsing. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.
Security researchers provide the following mitigations for users who are unable to apply the security updates:
- Do not parse user-provided schemas.
- Sanitize the schema before parsing it. For more information ask us privately.
