### CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) #### Key Information from the Webpage Screenshot: 1. **Severity**: Critical 2. **Affected Versions**: - Apache Avro Java SDK before 1.11.4 3. **Description**: - Schema parsing in the Java SDK of Apache Avro 1.11.3 and earlier versions allows attackers to execute arbitrary code. - Users are advised to upgrade to version 1.11.4 or 1.12.0, which resolve this vulnerability. 4. **Credit**: - Kostya Kortchinsky, from the Databricks Security Team (discoverer) 5. **References**: - [https://avro.apache.org/](https://avro.apache.org/) - [https://www.cve.org/CVERecord?id=CVE-2024-47561](https://www.cve.org/CVERecord?id=CVE-2024-47561) #### Additional Questions and Responses: 1. **Question by Lari Hotari**: - Is the RCE issue (Arbitrary Code Execution when reading Avro Data) reported in CVE-2024-47561 known to be exploitable in the default configuration of Apache Avro Java SDK? - Given that upgrading and patching all systems with Avro 1.11.4/1.12.0 will take some time, are there known workarounds or mitigations? 2. **Response by Martin Grigorov**: - An application is vulnerable if it allows users to supply their own Avro schemas for parsing. - Upgrading to 1.11.4 should be straightforward! - 1.12.0 includes more changes, so other aspects of your application might be affected or broken. - Mitigations: 1. Do not parse schemas provided by users 2. Sanitize the schema before parsing it. For more details, contact us privately. - I’m sure it will be! But it will also be useful for all attackers... --- This information is crucial for understanding the severity and impact of the vulnerability, as well as the recommended actions to mitigate the risk.