Jason Villaluna

Name of the Vulnerable Software and Affected Versions: Apache ORC versions 1.8.0 through 1.8.8 Apache ORC versions 1.9.0 through 1.9.5 Apache ORC versions 2.0.0 through 2.0.4 Apache ORC versions 2.1.0 through 2.1.1 Description: A Heap-based Buffer Overflow vulnerability has been identified in the ORC C++ LZO decompression logic. Specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempt to copy 295 bytes into it, resulting in memory corruption. Recommendations: For Apache ORC versions 1.8.0 through 1.8.8, upgrade to version 1.8.9. For Apache ORC versions 1.9.0 through 1.9.5, upgrade to version 1.9.6. For Apache ORC versions 2.0.0 through 2.0.4, upgrade to version 2.0.5. For Apache ORC versions 2.1.0 through 2.1.1, upgrade to version 2.1.2.