CVE-2023-37475
📋 TL;DR
CVE-2023-37475 is a denial-of-service vulnerability in the Hamba avro Go library where a maliciously crafted string passed to the Unmarshal() function can cause uncontrolled memory consumption, leading to application crashes. This affects any application using vulnerable versions of the hamba/avro library to decode Avro data. The vulnerability is exploitable by anyone who can send input to the affected Unmarshal() function.
💻 Affected Systems
- hamba/avro Go library
📦 What is this software?
Avro by Avro Project
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service causing application crashes and potential service unavailability, with possible memory exhaustion affecting the entire host system.
Likely Case
Application crashes and service disruption when processing malicious Avro data, requiring manual intervention to restart services.
If Mitigated
Minimal impact with proper input validation and memory limits in place, though the core vulnerability remains exploitable.
🎯 Exploit Status
Exploitation requires sending a specially crafted string to the Unmarshal() function, which is straightforward for attackers who can provide input to vulnerable applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.0
Vendor Advisory: https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45
Restart Required: Yes
Instructions:
1. Update Go dependencies: 'go get github.com/hamba/avro/v2@v2.13.0' 2. Update go.mod to require version 2.13.0 3. Rebuild and redeploy affected applications 4. Restart services using the updated library
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all Avro data inputs before passing to Unmarshal() function.
- Deploy memory limits and monitoring for applications using hamba/avro to detect and alert on abnormal memory consumption patterns.
🔍 How to Verify
Check if Vulnerable:
Check go.mod or vendor dependencies for hamba/avro version. If version is below 2.13.0, the application is vulnerable.Check Version:
grep 'hamba/avro' go.mod || go list -m github.com/hamba/avro/v2Verify Fix Applied:
Verify that go.mod requires github.com/hamba/avro/v2 v2.13.0 or higher, and that the built application uses this version.📡 Detection & Monitoring
Log Indicators:
- 'fatal error: runtime: out of memory' errors in application logs
- Sudden application crashes or restarts when processing Avro data
- Abnormal memory consumption spikes in monitoring systems
Network Indicators:
- Unusually large or malformed Avro data payloads being sent to applications
SIEM Query:
source="application.logs" AND ("out of memory" OR "fatal error" OR "panic") AND process="*avro*"