CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability

[Josh Fischer <josh () joshfischer io>]

CVE-2020-1964: Apache Heron (incubating) information disclosure
vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
0.20.2-incubating
0.20.1-incubating
v-0.20.0-incubating

Description:
In versions 0.20.2-incubating and before in Apache Heron does not
configure its YAML parser to prevent the instantiation of arbitrary
types, resulting in remote code execution vulnerabilities (CWE-502:
Deserialization of Untrusted Data).

Mitigation:
0.20.2-incubating and previous users should build from the current HEAD of
master.
A vote has been started for a new release 0.20.3-incubating which will
include the fix.

Credit:
This vulnerability was discovered by Frederic Vleminckx

Regards,

The Apache Heron (Incubating) Team