←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 8 comments | 06 Apr 25 17:21 UTC | HN request time: 0.272s | source | bottom
1. nikanj ◴[06 Apr 25 18:18 UTC] No.43603575[source]
"Maximum severity RCE" no longer means "unauthenticated RCE by any actor", it now means "the vulnerability can only be exploited if a malicious file is imported"

Grumbling about CVE inflation

replies(3): >>43603718 #>>43604364 #>>43604433 #
2. marcusb ◴[06 Apr 25 18:31 UTC] No.43603718[source]
CVSS, at least in its current form, needs to be taken out back and shot. See, for instance, https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/
replies(1): >>43604530 #
3. kevincox ◴[06 Apr 25 19:49 UTC] No.43604364[source]
But Parquet is intended to be a safe format. So importing a malicious file should still be safe.

Like if a browser had a vulnerability parsing HTML of course it is a major concern because very often browsers to parse HTML from untrusted parties.

replies(1): >>43604910 #
4. tptacek ◴[06 Apr 25 19:57 UTC] No.43604433[source]
There's no such thing as CVE inflation because CVEs don't have scores. You're grumbling about CVSS inflation. But: CVSS has always been flawed, and never should have been taken seriously.
replies(1): >>43609370 #
5. buu700 ◴[06 Apr 25 20:06 UTC] No.43604530[source]
I like the idea of CVSS, but it's definitely less precise than I'd like as-is. e.g. I've found that most issues which I would normally think of as low-severity get bumped up to medium by CVSS just for being network-based attack vectors, even if the actual issue is extremely edge case, extremely complex and/or computationally expensive to exploit, or not clearly exploitable at all.
6. mr_mitm ◴[06 Apr 25 20:58 UTC] No.43604910[source]
Why is "user interaction: none" though? There should be reasoning attached to the CVSS vector in these CVEs.
replies(1): >>43605059 #
7. StressedDev ◴[06 Apr 25 21:21 UTC] No.43605059{3}[source]
Probably because there are services (AKA web services, software listening on a network port, etc.) out there which accept arbitrary Parquet files. This seems like a safe assumption given lots of organizations use micro-services or cloud venders use the same software on the same machine to process requests from different customers. This is a bad bug and if you use the affected code, you should update immediately.
8. sean_flanigan ◴[07 Apr 25 09:08 UTC] No.43609370[source]
Those CVE numbers go up every year… Sounds like inflation to me! ;-)