Apache Parquet Java Schema Parsing Vulnerability in the parquet-avro Module Allows Arbitrary Code Execution

A remote code execution vulnerability has been identified in the parquet-avro module of Apache Parquet Java, affecting versions through 1.15.0. This vulnerability arises from schema parsing that allows attackers to execute arbitrary code. The issue is related to how the library deserializes Avro schemas embedded in Parquet files, particularly in a way that can trigger Java classes to be instantiated, potentially leading to code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the affected Parquet file is processed.

Reproduction

The vulnerability can be reproduced by creating a Parquet file that includes a malicious Avro schema. This schema should be crafted to instantiate a Java class known to have side effects when deserialized, such as 'javax.swing.JEditorPane'. Once this file is created, it can be processed by an application that uses the Apache Parquet Java library, which will trigger the vulnerability.

Remediation

Users are advised to upgrade to Apache Parquet Java version 1.15.1 or later, which addresses this vulnerability.