CVE-2021-43045 – This vulnerability in Apache Avro's .NET SDK al... (How to Fix)

Q: What is the severity of CVE-2021-43045?

CVE-2021-43045 has a CVSS score of 7.5 (HIGH). This vulnerability in Apache Avro's .NET SDK allows attackers to cause denial-of-service by forcing excessive resource allocation. It affects .NET applications using Apache Avro version 1.10.2 and earlier. The issue is resolved in version 1.11.0.

📋 TL;DR

This vulnerability in Apache Avro's .NET SDK allows attackers to cause denial-of-service by forcing excessive resource allocation. It affects .NET applications using Apache Avro version 1.10.2 and earlier. The issue is resolved in version 1.11.0.

💻 Affected Systems

Products:

Apache Avro .NET SDK

Versions: 1.10.2 and prior versions

Operating Systems: All operating systems running .NET applications with Apache Avro

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects .NET applications using Apache Avro; other language implementations are not vulnerable.

📦 What is this software?

Avro by Apache

View all CVEs affecting Avro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting multiple dependent services.

🟠

Likely Case

Degraded performance or temporary service disruption for affected applications.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: MEDIUM - Exploitable remotely but requires specific conditions and targeting.

🏢 Internal Only: MEDIUM - Internal applications could be targeted by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to send malicious Avro data to vulnerable applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.0

Vendor Advisory: https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd

Restart Required: Yes

Instructions:

1. Update Apache Avro NuGet package to version 1.11.0 or later. 2. Rebuild and redeploy affected applications. 3. Restart application services.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement strict input validation and size limits on Avro data processing

Resource monitoring and throttling

all

Monitor resource usage and implement throttling mechanisms

🧯 If You Can't Patch

Implement strict input validation and size limits on all Avro data processing
Deploy resource monitoring with automatic alerting for abnormal resource consumption

🔍 How to Verify

Check if Vulnerable:

Check NuGet package references for Apache.Avro version <= 1.10.2

Check Version:

dotnet list package Apache.Avro

Verify Fix Applied:

Verify Apache.Avro package version is >= 1.11.0 in project dependencies

📡 Detection & Monitoring

Log Indicators:

Unusually high memory or CPU usage during Avro processing
Failed Avro parsing attempts with large payloads

Network Indicators:

Large Avro payloads being sent to applications
Repeated Avro data submissions

SIEM Query:

source="application_logs" AND ("Avro" OR "Apache.Avro") AND (memory_usage > threshold OR cpu_usage > threshold)

📊 Metadata

CVE ID: CVE-2021-43045

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: January 6, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/01/06/8 Mailing List,Third Party Advisory
https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/06/8 Mailing List,Third Party Advisory
https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43045, you might also want to check these: