CVE-2024-27135

moderate-risk
Published 2024-03-12

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

Do I need to act?

-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.5/10 High
NETWORK / HIGH complexity

Affected Products (2)

Affected Vendors

Apache

References (6)

Mailing List http://www.openwall.com/lists/oss-security/2024/03/12/9
Vendor Advisory https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn
Vendor Advisory https://pulsar.apache.org/security/CVE-2024-27135/
Mailing List http://www.openwall.com/lists/oss-security/2024/03/12/9
Vendor Advisory https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn
Vendor Advisory https://pulsar.apache.org/security/CVE-2024-27135/
32
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 0/34 · Minimal
Exposure 7/34 · Low