Pulsar Function Worker: Arbitrary Java Exec via Improper Input (2.4.0-3.2.0)
CVE-2024-27135 Published on March 12, 2024
Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Vulnerability Analysis
CVE-2024-27135 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
Improper Control of Dynamically-Managed Code Resources
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2024-27135
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-27135 are published in Apache Plusar:
Affected Versions
Apache Software Foundation Apache Pulsar:- Version 2.4.0 and below 2.10.6 is affected.
- Version 2.11.0 and below 2.11.4 is affected.
- Version 3.0.0 and below 3.0.3 is affected.
- Version 3.1.0 and below 3.1.3 is affected.
- Version 3.2.0 and below 3.2.1 is affected.
- Version 2.4.0 and below 2.10.6 is affected.
- Version 2.11.0 and below 2.11.4 is affected.
- Version 3.0.0 and below 3.0.3 is affected.
- Version 3.1.0 and below 3.1.3 is affected.
- Version 3.2.0 and below 3.2.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.