{ "threat_severity" : "Critical", "public_date" : "2024-10-03T12:20:00Z", "bugzilla" : { "description" : "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)", "id" : "2316116", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2316116" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.", "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute." ], "statement" : "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.", "affected_release" : [ { "product_name" : "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date" : "2024-10-14T00:00:00Z", "advisory" : "RHSA-2024:8064", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package" : "org.apache.avro/avro" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date" : "2024-10-10T00:00:00Z", "advisory" : "RHSA-2024:7972", "cpe" : "cpe:/a:redhat:camel_quarkus:3.8", "package" : "org.apache.avro/avro" }, { "product_name" : "Red Hat build of Apicurio Registry 2.6.5 GA", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHSA-2024:7861", "cpe" : "cpe:/a:redhat:apicurio_registry:2.6", "package" : "org.apache.avro/avro" }, { "product_name" : "Red Hat build of Quarkus 3.2", "release_date" : "2024-10-10T00:00:00Z", "advisory" : "RHSA-2024:7676", "cpe" : "cpe:/a:redhat:quarkus:3.2::el8", "package" : "org.apache.avro/avro" }, { "product_name" : "Red Hat build of Quarkus 3.8", "release_date" : "2024-10-10T00:00:00Z", "advisory" : "RHSA-2024:7670", "cpe" : "cpe:/a:redhat:quarkus:3.8::el8", "package" : "org.apache.avro/avro" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform", "release_date" : "2024-12-10T00:00:00Z", "advisory" : "RHSA-2024:10933", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform::el7", "package" : "org.apache.avro/avro:1.11.4.redhat-00001" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2024-10-08T00:00:00Z", "advisory" : "RHSA-2024:7812", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2024-10-14T00:00:00Z", "advisory" : "RHSA-2024:8093", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-apache-cxf-0:3.1.16-3.SP1_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-avro-0:1.7.6-2.redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-bouncycastle-0:1.68.0-1.redhat_00005.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-h2database-0:1.4.197-2.redhat_00005.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jackson-databind-0:2.8.11.6-1.SP1_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jboss-xnio-base-0:3.5.10-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-0:7.1.8-2.GA_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10208", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-xalan-j2-0:2.7.1-26.redhat_00015.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10207", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2024-10-08T00:00:00Z", "advisory" : "RHSA-2024:7811", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-avro-0:1.11.4-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2024-10-08T00:00:00Z", "advisory" : "RHSA-2024:7811", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-avro-0:1.11.4-1.redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2024-10-08T00:00:00Z", "advisory" : "RHSA-2024:7811", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-avro-0:1.11.4-1.redhat_00001.1.el7eap" }, { "product_name" : "RHINT Camel-K 1.10.8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8339", "cpe" : "cpe:/a:redhat:camel_k:1.10.8", "package" : "org.apache.avro/avro", "impact" : "important" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "org.elasticsearch-elasticsearch", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Out of support scope", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "impact" : "important" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "avro", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "avro", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "org.apache.avro/avro", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47561\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47561" ], "name" : "CVE-2024-47561", "mitigation" : { "value" : "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.", "lang" : "en:us" }, "csaw" : false }