====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN402
_____________________________________________________________________

DATE                : 04/10/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Avro Java SDK versions
                                     prior to 1.11.4.

=====================================================================
https://lists.apache.org/thread/7skzdlzj25tw7mmj53jzblhs84dcpwkm
_____________________________________________________________________

CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when
reading Avro Data (Java SDK)

Severity: critical


Affected versions:

- Apache Avro Java SDK before 1.11.4


Description:

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous
versions allows bad actors to execute arbitrary code.

Users are recommended to upgrade to version 1.11.4  or 1.12.0, which
fix this issue.


Credit:

Kostya Kortchinsky, from the Databricks Security Team (finder)


References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-47561




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================