CVE-2024-47561: Apache Avro Java SDK Vulnerable to Remote Code Execution

A critical vulnerability has been identified in the Apache Avro Java SDK, allowing attackers to execute arbitrary code on vulnerable instances. The security flaw, registered as CVE-2024-47561, affects all software versions up to and including 1.11.4.

In the official project advisory, developers state: “Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.” Users are advised to update to version 1.11.4 or 1.12.0, where this issue has been resolved.

Apache Avro is a data serialization framework, akin to Google’s Protobuf, widely used for handling large volumes of data. The vulnerability impacts applications that permit the loading and parsing of Avro schemas from external users.

This issue was discovered by Databricks security specialist Kostya Kortchinsky. As a precaution, it is recommended to thoroughly validate schemas before parsing and to avoid using user-supplied schemas.

Mayuresh Dani, Threat Research Manager at Qualys, noted that “the CVE-2024-47561 vulnerability affects Apache Avro version 1.11.3 and earlier during the deserialization of input data through the Avro schema.” He also pointed out that while no proof-of-concept (PoC) exploit is publicly available at the time of publication, there is potential for exploitation via the ReflectData and SpecificData directives, as well as through Kafka.

Since Apache Avro is an open-source project, it is extensively used by many organizations, most of which are based in the United States, heightening the security risks if the vulnerability is not promptly addressed.