←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 8 comments | 06 Apr 25 17:21 UTC | HN request time: 0.001s | source | bottom
Show context
formerly_proven ◴[06 Apr 25 17:47 UTC] No.43603309[source]
As per the PoC, yes — this is the usual Java Deserialization RCE where it’ll instantiate arbitrary classes. Java serialization really is a gift that keeps on giving.
replies(2): >>43603416 #>>43603473 #
1. stefan_ ◴[06 Apr 25 17:58 UTC] No.43603416[source]
I love how these always instantly escalate into trivial code execution / reverse shell. Remember kids, C is the enemy!

The "fix" in question also screams "delete this crap immediately": https://github.com/wgtmac/parquet-mr/commit/d185f867c1eb968a...

replies(2): >>43603502 #>>43603648 #
2. pclmulqdq ◴[06 Apr 25 18:08 UTC] No.43603502[source]
This is a bug in Java. Java is considered "memory safe" because of its GC and its VM. This is not a memory safety bug.
replies(1): >>43605304 #
3. hinkley ◴[06 Apr 25 18:25 UTC] No.43603648[source]
The fix still loads the class before checking if it’s okay.

That’s a smaller attack window but it’s still not zero.

replies(1): >>43604534 #
4. josefx ◴[06 Apr 25 20:07 UTC] No.43604534[source]
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
replies(1): >>43604871 #
5. hinkley ◴[06 Apr 25 20:52 UTC] No.43604871{3}[source]
I haven’t been in Java for a good while. When did they do that?

Static initializers used to load on Classloader calls.

replies(1): >>43605102 #
6. josefx ◴[06 Apr 25 21:27 UTC] No.43605102{4}[source]
An overload for Class.forName with an explicit initialize parameter was added in Java 1.2 .
replies(1): >>43608222 #
7. chowells ◴[06 Apr 25 21:58 UTC] No.43605304[source]
It's true. No memory is being used in contravention of the language semantics. Absolutely memory safe.
8. hinkley ◴[07 Apr 25 05:53 UTC] No.43608222{5}[source]
Except they don't call Class.forName(..., false, ...) anywhere in the codebase, so my original comment still stands.