Apache Arrow affected by CVE-2024-52338 Code Execution Flaw

Apache Arrow affected by CVE-2024-52338 Code Execution Flaw


The Apache Arrow R package  has been identified with a critical security vulnerability impacting versions 4.0.0 through 16.1.0, could allow attackers to execute arbitrary code on systems processing maliciously crafted data files.

The flaw tracked as CVE-2024-52338 with a CVSS score of 9.8 stems from insecure deserialization of data in IPC and Parquet readers within the affected versions of the R package. Applications reading Arrow IPC, Feather, or Parquet files from untrusted sources, such as user-supplied input files, are particularly vulnerable.

Advertisements

If exploited, it allows attackers to compromise systems and potentially gain unauthorized access to sensitive data. It is crucial to note that this vulnerability is specific to the Apache Arrow R package and does not directly impact other Apache Arrow implementations or bindings.

The Apache Software Foundation urges users to upgrade to version 17.0.0 or later of the Apache Arrow R package immediately. Downstream libraries depending on the affected package should also update their dependencies accordingly.

For users unable to immediately upgrade, a temporary workaround involves reading untrusted data into a Table and utilizing its internal to_data_frame() method.

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.