CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
First published: Fri Sep 29 2023(Updated: )
Apache Avro Java SDK could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/avro | >=0<1.11.3 | 1.11.3 |
| maven/org.apache.avro:avro | <1.11.3 | 1.11.3 |
| Apache Avro | <1.11.3 | |
| IBM Cognos Analytics | <=12.0.0-12.0.1 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
| IBM Cognos Analytics | <=11.1.1-11.1.7 FP7 | |
| redhat/apache-avro | <1.11.3 | 1.11.3 |
| <1.11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-39410
- https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
- http://www.openwall.com/lists/oss-security/2023/09/29/6
- https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828
- https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml
- https://www.openwall.com/lists/oss-security/2023/09/29/6
- https://github.com/advisories/GHSA-rhrv-645h-fjfh (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/267324
- https://www.ibm.com/support/pages/node/7123154 (Advisory)
- https://access.redhat.com/errata/RHSA-2023:7247
- https://access.redhat.com/errata/RHSA-2023:7612
- https://access.redhat.com/errata/RHSA-2023:7617
- https://access.redhat.com/errata/RHSA-2023:7639
- https://access.redhat.com/errata/RHSA-2023:7637
- https://access.redhat.com/errata/RHSA-2023:7638
- https://access.redhat.com/errata/RHSA-2023:7641
- https://access.redhat.com/errata/RHSA-2023:7700
- https://access.redhat.com/errata/RHSA-2023:7705
- https://access.redhat.com/errata/RHSA-2024:3354
- https://bugzilla.redhat.com/show_bug.cgi?id=2242521
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0006
Frequently Asked Questions
What is CVE-2023-39410?
CVE-2023-39410 is a vulnerability in the Apache Avro Java SDK that allows a reader to consume memory beyond the allowed constraints when deserializing untrusted or corrupted data, leading to an out-of-memory condition on the system.
Which Java applications are affected by CVE-2023-39410?
Java applications using Apache Avro Java SDK up to and including version 1.11.2 are affected by CVE-2023-39410.
How can I fix CVE-2023-39410?
To fix CVE-2023-39410, users should update to Apache Avro Java SDK version 1.11.3 or later.
What is the Common Weakness Enumeration (CWE) ID of CVE-2023-39410?
The CWE ID of CVE-2023-39410 is CWE-20.
Where can I find more information about CVE-2023-39410?
You can find more information about CVE-2023-39410 on the NIST National Vulnerability Database (NVD) website.
- collector/oss-sec
- alias/CVE-2023-39410
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/title
- agent/severity
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rhrv-645h-fjfh
- agent/references
- agent/softwarecombine
- collector/nvd-cve
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/github-advisory
- vendor/apache
- canonical/apache avro
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.1
- version/ibm cognos analytics/11.2.0-11.2.4 fp2
- version/ibm cognos analytics/11.1.1-11.1.7 fp7
- package-manager/redhat
- package-manager/pip
- package-manager/maven