2269254 – (CVE-2024-27135) CVE-2024-27135 apache-pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution

Bug 2269254 (CVE-2024-27135) - CVE-2024-27135 apache-pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution

Summary: CVE-2024-27135 apache-pulsar: Improper Input Validation in Pulsar Function Wo...

Keywords:
Status:	NEW
Alias:	CVE-2024-27135
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2269246
TreeView+	depends on / blocked

Reported:	2024-03-12 20:28 UTC by Marco Benatto
Modified:	2024-04-30 23:00 UTC (History)
CC List:	33 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability in Apache Pulsar allows a malicious authenticated user to perform remote arbitrary code execution on Pulsar's function worker. A successful attack impacts the data integrity and confidentiality, as well as system availability. Pulsar broker is also susceptible to this attack when it's configured with the "functionsWorkerEnabled=true" flag.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-03-12 20:28:47 UTC

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 

2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.

Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn
https://pulsar.apache.org/security/CVE-2024-27135/

Note You need to log in before you can comment on or make changes to this bug.

aileenc
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
cmiranda
darran.lofthouse
dkreling
dosoudil
fjuma
fmariani
gmalinko
ivassile
iweiss
janstey
jpoth
lgao
mosmerov
msochure
mstefank
msvehla
nwallace
pcongius
pdelbell
pjindal
pmackay
rstancel
smaestri
tcunning
tom.jenkinson
yfang