A greatest intensity security vulnerability has been disclosed in Apache Parquet’s Java Library that, if properly exploited, may help a remote attacker to execute arbitrary code on vulnerable instances.
Apache Parquet is a free and open-source column data file format that’s designed for effective data processing and recovery, providing support for complex statistics, high-performance compression, and encoding schemes. It was first launched in 2013.
The risk in query is tracked as . It carries a CVSS report of 10.0.
” Schema parsing in the parquet-avro package of Apache Parquet 1.15.0 and earlier variations allows bad actors to perform random code”, the task maintainers said in an expert.
According to Endor Labs, effective abuse of the weakness requires tricking a resilient system into reading a specially crafted Parquet report to obtain code execution.
” This vulnerability can affect data pipelines and analytics systems that import Parquet files, especially when those files come from outside or dirty sources”, the company . ” If attackers can tamper with the files, the vulnerability may be triggered”.
The shortcoming impacts all versions of the software up to and including 1.15.0. It has been addressed in version 1.15.1. Keyi Li of Amazon has been credited with discovering and reporting the flaw.
While there is no evidence that the flaw has been exploited in the wild, vulnerabilities in Apache projects have become a lightning rod for threat actors looking to opportunistically breach systems and deploy malware.
Last month, a critical security flaw in Apache Tomcat ( , CVSS score: 9.8 ) within 30 hours of public disclosure.
Cloud security firm Aqua, in an analysis published this week, said it discovered a new attack campaign that targets Apache Tomcat servers with easy-to-guess credentials to deploy encrypted payloads that are designed to steal SSH credentials for lateral movement and ultimately hijack the system resources for illicit cryptocurrency mining.
The payloads are also capable of establishing persistence and acting as a Java-based web shell that “enables the attacker to execute arbitrary Java code on the server”, Assaf Morag, director of threat intelligence at Aqua, .
” In addition, the script is designed to check if the user has root privileges and if so it executes two functions that optimize CPU consumption for better cryptomining results”.
The campaign, which affects both Windows and Linux systems, is likely assessed to be the work of a Chinese-speaking threat actor owing to the presence of Chinese language comments in the source code.