Most active commenters
  • tptacek(3)

←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 12 comments | 4/6/2025, 5:21:00 PM | HN request time: 3.396s | source | bottom
1. tptacek ◴[4/6/2025, 7:56:00 PM] No.43604427[source]

Broken record, but "has a CVSS score of 10.0" is literally meaningless. In fact, over the last couple years, I've come to take vulnerabilities with very high CVSS scores less seriously. Remember, Heartbleed was a "7.5".

replies(5): >>43604810 #>>43605410 #>>43606314 #>>43609363 #>>43610358 #
2. marcolussetti ◴[4/6/2025, 8:43:00 PM] No.43604810[source]

That's mostly due to the switch from CVSS 2 to CVSS 3

3. pclmulqdq ◴[4/6/2025, 10:14:00 PM] No.43605410[source]

I am pretty convinced that CVSS has a very significant component of "how enterprise is it." Accepting untrusted parquet files without verification or exposing apache spark directly to users is a very "enterprise" thing to do (alongside having log4j log untrusted user inputs). Heartbleed sounded too technical and not "enterprise" enough.

replies(1): >>43607573 #
4. b8 ◴[4/7/2025, 12:42:00 AM] No.43606314[source]

A new scoring system should be made that is a better signal.

replies(2): >>43606373 #>>43606374 #
5. tptacek ◴[4/7/2025, 12:54:00 AM] No.43606373[source]

I think the original one did just fine: "info, low, medium, high, crit".

I could even do without "crit".

replies(1): >>43606709 #
6. saagarjha ◴[4/7/2025, 12:54:00 AM] No.43606374[source]

It's quite hard to do this.

7. worthless-trash ◴[4/7/2025, 1:49:00 AM] No.43606709{3}[source]

I believe companies often call that the flaws impact.

It is different than the cvss rating.

replies(1): >>43606866 #
8. tptacek ◴[4/7/2025, 2:08:00 AM] No.43606866{4}[source]

In that it is meaningful, yes.

replies(1): >>43609087 #
9. positr0n ◴[4/7/2025, 4:09:00 AM] No.43607573[source]

> alongside having log4j log untrusted user inputs

I'd think logging things like query parameters is extremely common.

10. worthless-trash ◴[4/7/2025, 8:13:00 AM] No.43609087{5}[source]

Surely you think AV:P has a meaningful description in the CVSS Score ?

11. tgv ◴[4/7/2025, 9:07:00 AM] No.43609363[source]

It may be noisy, but recently Draytek routers had a 10 point one, and indeed, an office router had been taken over. It would stubornly reboot every couple of minutes, and not accept upgrades.

12. junon ◴[4/7/2025, 12:07:00 PM] No.43610358[source]

Yep. Any software these days can be "network accessible" if you put a server in front of it; that's usually what pumps the score up.