Arbitrary Java Code Execution Vulnerability in Pulsar Function Worker
CVE-2024-27135

9.9CRITICAL

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 12 March 2024

Summary

The vulnerability in the Apache Pulsar Function Worker stems from improper input validation, which allows an authenticated malicious user to execute arbitrary Java code outside the intended sandboxes for user-provided functions. This issue can extend to the Pulsar Broker when the 'functionsWorkerEnabled' configuration is set to true, thus impacting a broader range of deployments. Users operating the affected versions are urged to upgrade to the specified patched versions to mitigate potential risks.

Affected Version(s)

Apache Pulsar 2.4.0 < 2.10.6

Apache Pulsar 2.11.0 < 2.11.4

Apache Pulsar 3.0.0 < 3.0.3

References

https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9j...

mailing-list

https://pulsar.apache.org/security/CVE-2024-27135/

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/12/9

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Feb 20, 2024

Credit

Lari Hotari of StreamNative