Fixed Issues in Apache Avro

Review the list of Avro issues that are resolved in Cloudera Runtime 7.3.2, its service packs and cumulative hotfixes.

Cloudera Runtime 7.3.2

Cloudera Runtime 7.3.2 resolves Avro issues and incorporates fixes from the service packs and cumulative hotfixes from 7.3.1.100 through 7.3.1.706. For a comprehensive record of all fixes in Cloudera Runtime 7.3.1.x, see Fixed Issues.

CDPD-88356: Migrate Apache Commons Lang dependency to version 3.18.0 to address CVE-2025-48924: 7.3.2; This fix addresses a high-severity uncontrolled recursion vulnerability in Apache Commons Lang's ClassUtils.getClass(…) method by upgrading commons-lang3 dependency to version 3.18.0.
CDPD-85710: Upgrade jQuery for Avro artifacts: 7.3.2; Several CVEs (CVE‑2020‑23064, CVE‑2019‑5428, NSWG-ECO‑328, NSWG-ECO-329) affected the jQuery version used in Avro's web artifacts. jQuery has been upgraded to a secure version address these vulnerabilities.
CDPD-82755: Restrict trusted packages in ReflectData and SpecificData: 7.3.2; This fix addresses a deserialization vulnerability (CVE-2024-47561) in ReflectData and SpecificData. The change introduces the org.apache.avro.SERIALIZABLE_PACKAGES system property to restrict class types during serialization, protecting the host system from malicious payloads.
Apache Jira: AVRO-3985
CDPD-77463: Upgrade Avro to version 1.12.0: The Avro component has been upgraded from version 1.11.1 to version 1.12.0.
CDPD-77022: Migrate dependency to commons-lang3: 7.3.2; This fix ensures that all the Avro artifacts use the centralized commons-lang3 version.
CDPD-75119: Migrate Avro commons-io dependency to version 2.17.0: 7.3.2; This fix addresses tCVE-2024-47554 by upgrading commons-io dependency to version 2.17.0.