=====================================================================

                                 CERT-Renater

                       Note d'Information No. 2023/VULN367

_____________________________________________________________________

DATE                : 04/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Avro versions prior to
                                          1.11.3.

=====================================================================
https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
_____________________________________________________________________

Ryan Skraba - vendredi 29 septembre 2023 18:12:45 UTC+2

Severity: low


Affected versions:

- Apache Avro Java SDK before 1.11.3


Description:

When deserializing untrusted or corrupted data, it is possible for
a reader to consume memory beyond the allowed constraints and thus
lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up
to and including 1.11.2.  Users should update to apache-avro version
1.11.3 which addresses this issue.

This issue is being tracked as AVRO-3819

Credit:

Adam Korczynski at ADA Logics Ltd (finder)


References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39410
https://issues.apache.org/jira/browse/AVRO-3819




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================