Bug 2242521 (CVE-2023-39410)

Summary: CVE-2023-39410 apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, anstephe, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dkreling, dosoudil, drichtar, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, istudens, ivassile, iweiss, janstey, jcantril, jmartisk, jnethert, jolee, jpechane, jpoth, jschatte, jscholz, jstastny, lgao, lthon, manderse, max.andersen, mosmerov, mposolda, msochure, mstefank, msvehla, mulliken, nipatil, nwallace, olubyans, pantinor, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rkubis, rojacob, rowaters, rruss, rstancel, rstepani, rsvoboda, sbiarozk, smaestri, ssilvert, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: apache-avro 1.11.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2242520    

Description Patrick Del Bello 2023-10-06 17:32:54 UTC 
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.

https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
https://www.openwall.com/lists/oss-security/2023/09/29/6
Comment 7 errata-xmlrpc 2023-11-15 17:08:02 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12.1

Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247
Comment 9 errata-xmlrpc 2023-11-30 11:36:58 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.9

Via RHSA-2023:7612 https://access.redhat.com/errata/RHSA-2023:7612
Comment 10 errata-xmlrpc 2023-11-30 15:00:41 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2023:7617 https://access.redhat.com/errata/RHSA-2023:7617
Comment 11 errata-xmlrpc 2023-12-04 17:56:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:7639 https://access.redhat.com/errata/RHSA-2023:7639
Comment 12 errata-xmlrpc 2023-12-04 17:57:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:7637 https://access.redhat.com/errata/RHSA-2023:7637
Comment 13 errata-xmlrpc 2023-12-04 17:59:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:7638 https://access.redhat.com/errata/RHSA-2023:7638
Comment 14 errata-xmlrpc 2023-12-04 18:02:24 UTC 
This issue has been addressed in the following products:

  EAP 7.4.14

Via RHSA-2023:7641 https://access.redhat.com/errata/RHSA-2023:7641
Comment 15 errata-xmlrpc 2023-12-07 14:26:51 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700
Comment 16 errata-xmlrpc 2023-12-07 15:32:49 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705
Comment 20 errata-xmlrpc 2024-05-23 22:45:45 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.13.0

Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354
Comment 22 errata-xmlrpc 2024-11-25 00:10:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2024:10208 https://access.redhat.com/errata/RHSA-2024:10208
Comment 23 errata-xmlrpc 2024-11-25 00:11:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2024:10207 https://access.redhat.com/errata/RHSA-2024:10207
Comment 28 errata-xmlrpc 2025-10-23 22:34:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7

Via RHSA-2023:7641 https://access.redhat.com/errata/RHSA-2023:7641