←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 1 comments | 06 Apr 25 17:21 UTC | HN request time: 0.001s | source
Show context
formerly_proven ◴[06 Apr 25 17:47 UTC] No.43603309[source]
As per the PoC, yes — this is the usual Java Deserialization RCE where it’ll instantiate arbitrary classes. Java serialization really is a gift that keeps on giving.
replies(2): >>43603416 #>>43603473 #
stefan_ ◴[06 Apr 25 17:58 UTC] No.43603416[source]
I love how these always instantly escalate into trivial code execution / reverse shell. Remember kids, C is the enemy!

The "fix" in question also screams "delete this crap immediately": https://github.com/wgtmac/parquet-mr/commit/d185f867c1eb968a...

replies(2): >>43603502 #>>43603648 #
hinkley ◴[06 Apr 25 18:25 UTC] No.43603648[source]
The fix still loads the class before checking if it’s okay.

That’s a smaller attack window but it’s still not zero.

replies(1): >>43604534 #
josefx ◴[06 Apr 25 20:07 UTC] No.43604534[source]
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
replies(1): >>43604871 #
hinkley ◴[06 Apr 25 20:52 UTC] No.43604871[source]
I haven’t been in Java for a good while. When did they do that?

Static initializers used to load on Classloader calls.

replies(1): >>43605102 #
josefx ◴[06 Apr 25 21:27 UTC] No.43605102{3}[source]
An overload for Class.forName with an explicit initialize parameter was added in Java 1.2 .
replies(1): >>43608222 #
1. hinkley ◴[07 Apr 25 05:53 UTC] No.43608222{4}[source]
Except they don't call Class.forName(..., false, ...) anywhere in the codebase, so my original comment still stands.