====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN208
_____________________________________________________________________

DATE                : 17/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Heron versions
           0.20.2-incubating, 0.20.1-incubating, v-0.20.0-incubating.

=====================================================================
http://mail-archives.apache.org/mod_mbox/heron-dev/202004.mbox/%3cCAFkuAo0aXP-Ud3DESJWj77S9rB4aHNXaPj2J3z2JO0Js9dC1Pg@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-1964: Apache Heron (incubating) information disclosure
vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
0.20.2-incubating
0.20.1-incubating
v-0.20.0-incubating

Description:
In versions 0.20.2-incubating and before in Apache Heron does not
configure its YAML parser to prevent the instantiation of arbitrary
types, resulting in remote code execution vulnerabilities (CWE-502:
Deserialization of Untrusted Data).

Mitigation:
0.20.2-incubating and previous users should build from the current HEAD
of master.
A vote has been started for a new release 0.20.3-incubating which will
include the fix.

Credit:
This vulnerability was discovered by Frederic Vleminckx

Regards,

The Apache Heron (Incubating) Team
=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================