FRESH

Hacker News

Max severity RCE flaw discovered in widely used Apache Parquet

174 points by andy99

by tptacek

5 subcomments

Broken record, but "has a CVSS score of 10.0" is literally meaningless. In fact, over the last couple years, I've come to take vulnerabilities with very high CVSS scores less seriously. Remember, Heartbleed was a "7.5".

by jtchang

3 subcomments

It's so dumb to assign it a CVSS score of 10.
Unless you are blindly accepting parquet formatted files this really doesn't seem that bad.
A vulnerability in parsing images, xml, json, html, css would be way more detrimental.
I can't think of many services that accept parquet files directly. And of those usually you are calling it directly via a backend service.

by formerly_proven

2 subcomments

As per the PoC, yes — this is the usual Java Deserialization RCE where it’ll instantiate arbitrary classes. Java serialization really is a gift that keeps on giving.

by g-mork

3 subcomments

When did vulnerability reports get so vague? Looks like a classic serialization bug
https://github.com/apache/parquet-java/compare/apache-parque...

by 3eb7988a1663

2 subcomments

Maybe the headline should note that this a parser vulnerability, not the format itself. I suppose that is obvious, but my first knee-jerk thought was, "Am I going to have to re-encode XXX piles of data?"

by nikanj

3 subcomments

"Maximum severity RCE" no longer means "unauthenticated RCE by any actor", it now means "the vulnerability can only be exploited if a malicious file is imported"
Grumbling about CVE inflation

by gnabgib

1 subcomments

Original source: https://www.endorlabs.com/learn/critical-rce-vulnerability-i...

by lpapez

0 subcomment

Soon to be announced "Quake PAK files identified carrying malware, critical 10/10 vulnerability"

by ustad

2 subcomments

Does anyone know if pandas is affected? I serialize/deserialize dataframes which pandas uses parquet under the hood.

by marginalia_nu

1 subcomments

I migrated off apache parquet to a very simple columnar format. Cut processing times in half, reduced RAM usage by almost 90%, and (as it turns out) dodged this security vulnerability.
I don't want to make too harsh remarks about the project, as it may simply not have been the right tool for my use case, though it sure gave me a lot of issues.

by yencabulator

0 subcomment

In the parquet-java *Java implementation of Apache Parquet*.
Not in the file format.

by rini17

1 subcomments

by TZubiri

0 subcomment