#VU83219 Deserialization of Untrusted Data in Apache Avro


Published: 2023-11-16

Vulnerability identifier: #VU83219

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-39410

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Avro
Server applications / Database software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to reader can consume memory beyond the allowed constraints and thus lead to out of memory on the system, when deserializing untrusted or corrupted data. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Avro: 1.11.0 - 1.11.2

External links
http://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
http://www.openwall.com/lists/oss-security/2023/09/29/6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Disconnected Log Collector
Multiple vulnerabilities in IBM Operations Analytics Predictive Insights
Bamboo Data Center and Server update for Apache Avro
Jira Software Data Center and Server update for Apache Avro
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Multiple vulnerabilities in IBM Cognos Analytics
Multiple vulnerabilities in IBM Application Performance Management
Multiple vulnerabilities in IBM Data Risk Manager
Multiple vulnerabilities in Oracle Middleware Common Libraries and Tools
Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition