CVE-2024-47561: Critical Flaw in Apache Avro Java SDK Allows Arbitrary Code Execution
A critical security vulnerability (CVE-2024-47561) has been discovered in the Apache Avro Java SDK, potentially allowing attackers to execute arbitrary code on affected systems. This vulnerability affects all versions of the Apache Avro Java SDK prior to 1.11.4.
Apache Avro is a widely used data serialization system employed in numerous data pipelines and streaming applications. Its popularity stems from its efficient binary data format, support for schema evolution, and broad language compatibility, including Java, Python, C++, and JavaScript.
The vulnerability stems from a flaw in the schema parsing functionality of the Java SDK. This flaw allows malicious actors to craft Avro data that, when parsed by a vulnerable system, triggers the execution of arbitrary code. This could lead to complete system compromise, data breaches, and denial-of-service attacks.
The Apache Avro team has addressed this vulnerability in versions 1.11.4 and 1.12.0 of the Java SDK. All users are strongly urged to upgrade to one of these versions immediately.
Kostya Kortchinsky of the Databricks Security Team is credited with discovering this vulnerability and responsibly disclosing it to the Apache Avro project.
Organizations relying on Apache Avro, especially those utilizing the Java SDK, should prioritize patching their systems to mitigate the risk of exploitation. Delaying updates could expose them to serious security breaches with potentially devastating consequences.
