(www.bleepingcomputer.com)

174 points andy99 | 1 comments | 06 Apr 25 17:21 UTC | HN request time: 0s | source

Show context

jtchang ◴[06 Apr 25 20:52 UTC] No.43604870[source]▶

It's so dumb to assign it a CVSS score of 10.

Unless you are blindly accepting parquet formatted files this really doesn't seem that bad.

A vulnerability in parsing images, xml, json, html, css would be way more detrimental.

I can't think of many services that accept parquet files directly. And of those usually you are calling it directly via a backend service.

replies(3): >>43605359 #>>43605393 #>>43606782 #

jeroenhd ◴[06 Apr 25 22:12 UTC] No.43605393[source]▶

>>43604870 #

Unless you're logging user input without proper validation, log4j doesn't really seem that bad.

As a library, this is a huge problem. If you're a user of the library, you'll have to decide if your usage of it is problematic or not.

Either way, the safe solution is to just update the library. Or, based on the link shared elsewhere (https://github.com/apache/parquet-java/compare/apache-parque...) maybe avoid this library if you can, because the Java-specific code paths seem sketchy as hell to me.

replies(2): >>43605484 #>>43608211 #

1. seanhunter ◴[07 Apr 25 05:52 UTC] No.43608211[source]▶

>>43605393 #

It’s incredibly common to log things which contain text elements which come from a user request. I’ve worked on systems that do that 100s of thousands of times per day. I’ve literally never deserialized a parquet file that came from someone else even a single time and I’ve used parquet since it very first was released.

↑

Max severity RCE flaw discovered in widely used Apache Parquet