A critical security vulnerability has been uncovered in the Apache Avro Java Software Development Kit (SDK), tracked as CVE-2024-47561, which could allow attackers to execute arbitrary code on vulnerable systems. The flaw impacts all versions of the SDK prior to 1.11.4, making it crucial for developers to upgrade to the latest version or 1.12.0 to protect their applications. Apache Avro is a popular open-source data serialization framework, widely used for large-scale data processing, and the flaw poses serious risks, particularly for applications that allow user-provided schemas.
The vulnerability stems from improper schema parsing in Avro versions 1.11.3 and earlier, which enables malicious actors to inject code by providing specially crafted schemas. Any application that permits users to input their own Avro schemas for parsing is vulnerable to this attack. Kostya Kortchinsky from the Databricks security team discovered the issue and reported it to the Apache Avro team, leading to the release of updated versions that patch the flaw.
Mayuresh Dani, Manager of Threat Research at Qualys, emphasized the severity of the vulnerability, noting that malicious input processed via ReflectData and SpecificData directives can lead to code execution, with potential exploitation through Kafka environments. Although no proof-of-concept (PoC) has been made public yet, the vulnerability presents significant security risks if left unpatched, especially given the widespread use of Apache Avro across many organizations.
As a mitigation strategy, developers are strongly advised to sanitize any Avro schemas provided by users and avoid allowing untrusted schemas for parsing. The open-source nature of Apache Avro means it is used by numerous organizations, particularly in the United States, making it vital to apply security updates promptly. Failing to do so could expose systems to critical attacks, underscoring the importance of upgrading to the latest versions and implementing strict security practices around schema validation.
