Vulnerability Description
While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Arrow | >= 0.12.0, <= 0.14.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2019/11/08/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a7
- https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a7
- https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc
- http://www.openwall.com/lists/oss-security/2019/11/08/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a7
- https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a7
- https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc
FAQ
What is CVE-2019-12410?
CVE-2019-12410 is a vulnerability with a CVSS score of 7.5 (HIGH). While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data ...
How severe is CVE-2019-12410?
CVE-2019-12410 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12410?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Arrow.