CVE-2023-39410
Denial of Service (DoS) vulnerability in avro (Maven)
What is CVE-2023-39410 About?
This vulnerability is a Denial of Service (DoS) in the Apache Avro Java SDK, affecting versions up to 1.11.2. When deserializing untrusted or corrupted data, a reader can consume excessive memory, leading to an out-of-memory condition. Exploitation requires supplying specially crafted data, making it a targeted attack.
Affected Software
- avro
- <1.11.3
- org.apache.avro:avro
- <1.11.3
Technical Details
The vulnerability in Apache Avro Java SDK arises during the deserialization of untrusted or corrupted data. Specifically, a reader processing such input can be forced to allocate and consume an amount of memory disproportionate to the actual data size, exceeding allowed constraints. This excessive memory allocation, when triggered by deliberately crafted input, leads to an out-of-memory (OOM) error on the system, effectively causing a Denial of Service by crashing the application or making it unresponsive.
What is the Impact of CVE-2023-39410?
Successful exploitation may allow attackers to disrupt service availability by crashing the application or making it unresponsive due to excessive memory consumption.
What is the Exploitability of CVE-2023-39410?
Exploitation of this Denial of Service vulnerability involves providing specially crafted untrusted or corrupted data to an application using the vulnerable Apache Avro Java SDK. The complexity of crafting such data may vary, but it does not typically require authentication or elevated privileges beyond the ability to send data to the application's deserialization endpoint. This is generally a remote attack, as an attacker would send the malicious data over a network. The primary risk factor is any application that accepts and deserializes data from untrusted sources using the affected Avro library versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-39410?
About the Fix from Resolved Security
The patch introduces strict checks on the maximum allowed sizes for fixed types, strings, byte arrays, and collections using configurable limits, preventing the allocation of excessively large memory chunks. This addresses CVE-2023-39410 by mitigating the risk of denial of service or out-of-memory errors that could be triggered by malicious or malformed input specifying very large sizes, which the code previously failed to limit adequately. By unifying and enforcing consistent size validations via the new SystemLimitException, the patch ensures the application will reliably reject over-sized data before dangerous allocations occur.
Available Upgrade Options
- org.apache.avro:avro
- <1.11.3 → Upgrade to 1.11.3
- avro
- <1.11.3 → Upgrade to 1.11.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
- https://www.openwall.com/lists/oss-security/2023/09/29/6
- https://issues.apache.org/jira/browse/AVRO-3819
- https://osv.dev/vulnerability/PYSEC-2023-188
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://nvd.nist.gov/vuln/detail/CVE-2023-39410
- http://www.openwall.com/lists/oss-security/2023/09/29/6
- https://osv.dev/vulnerability/GHSA-rhrv-645h-fjfh
What are Similar Vulnerabilities to CVE-2023-39410?
Similar Vulnerabilities: CVE-2021-29425 , CVE-2018-1000620 , CVE-2020-11979 , CVE-2023-1370 , CVE-2022-26210
