Описание
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | avro | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | avro | Will not fix | ||
| Red Hat build of Apicurio Registry 2 | avro | Affected | ||
| Red Hat build of Debezium 2 | avro | Will not fix | ||
| Red Hat Data Grid 8 | avro | Not affected | ||
| Red Hat Enterprise Linux 8 | log4j:2/log4j | Not affected | ||
| Red Hat Enterprise Linux 9 | log4j | Not affected | ||
| Red Hat Integration Camel K 1 | avro | Not affected | ||
| Red Hat Integration Camel Quarkus 2 | avro | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
Apache Avro Java SDK vulnerable to Improper Input Validation
Уязвимость библиотеки сериализации данных Apache Avro, связанная с недостатками механизма десериализации, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3