Most active commenters
  • tptacek(3)

←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 12 comments | 06 Apr 25 17:21 UTC | HN request time: 0.426s | source | bottom
1. tptacek ◴[06 Apr 25 19:56 UTC] No.43604427[source]
Broken record, but "has a CVSS score of 10.0" is literally meaningless. In fact, over the last couple years, I've come to take vulnerabilities with very high CVSS scores less seriously. Remember, Heartbleed was a "7.5".
replies(5): >>43604810 #>>43605410 #>>43606314 #>>43609363 #>>43610358 #
2. marcolussetti ◴[06 Apr 25 20:43 UTC] No.43604810[source]
That's mostly due to the switch from CVSS 2 to CVSS 3
3. pclmulqdq ◴[06 Apr 25 22:14 UTC] No.43605410[source]
I am pretty convinced that CVSS has a very significant component of "how enterprise is it." Accepting untrusted parquet files without verification or exposing apache spark directly to users is a very "enterprise" thing to do (alongside having log4j log untrusted user inputs). Heartbleed sounded too technical and not "enterprise" enough.
replies(1): >>43607573 #
4. b8 ◴[07 Apr 25 00:42 UTC] No.43606314[source]
A new scoring system should be made that is a better signal.
replies(2): >>43606373 #>>43606374 #
5. tptacek ◴[07 Apr 25 00:54 UTC] No.43606373[source]
I think the original one did just fine: "info, low, medium, high, crit".

I could even do without "crit".

replies(1): >>43606709 #
6. saagarjha ◴[07 Apr 25 00:54 UTC] No.43606374[source]
It's quite hard to do this.
7. worthless-trash ◴[07 Apr 25 01:49 UTC] No.43606709{3}[source]
I believe companies often call that the flaws impact.

It is different than the cvss rating.

replies(1): >>43606866 #
8. tptacek ◴[07 Apr 25 02:08 UTC] No.43606866{4}[source]
In that it is meaningful, yes.
replies(1): >>43609087 #
9. positr0n ◴[07 Apr 25 04:09 UTC] No.43607573[source]
> alongside having log4j log untrusted user inputs

I'd think logging things like query parameters is extremely common.

10. worthless-trash ◴[07 Apr 25 08:13 UTC] No.43609087{5}[source]
Surely you think AV:P has a meaningful description in the CVSS Score ?
11. tgv ◴[07 Apr 25 09:07 UTC] No.43609363[source]
It may be noisy, but recently Draytek routers had a 10 point one, and indeed, an office router had been taken over. It would stubornly reboot every couple of minutes, and not accept upgrades.
12. junon ◴[07 Apr 25 12:07 UTC] No.43610358[source]
Yep. Any software these days can be "network accessible" if you put a server in front of it; that's usually what pumps the score up.