CVE-2024-47561 - Apache Avro Java SDK

[MrFang1986]

Logstash information:

Please include the following information:

1. Logstash version (e.g. bin/logstash --version)
2. Logstash installation source (e.g. built from source, with a package manager: DEB/RPM, expanded from tar or zip archive, docker)
3. How is Logstash being run (e.g. as a service/service manager: systemd, upstart, etc. Via command line, docker/kubernetes)
4. How was the Logstash Plugin installed

JVM (e.g. java -version):

If the affected version of Logstash is 7.9 (or earlier), or if it is NOT using the bundled JDK or using the 'no-jdk' version in 7.10 (or higher), please provide the following information:

1. JVM version (java -version)
2. JVM installation source (e.g. from the Operating System's package manager, from source, etc).
3. Value of the JAVA_HOME environment variable if set.

OS version (uname -a if on a Unix-like system):

Description of the problem including expected versus actual behavior:

Steps to reproduce:

Please include a minimal but complete recreation of the problem,
including (e.g.) pipeline definition(s), settings, locale, etc. The easier
you make for us to reproduce it, the more likely that somebody will take the
time to look at it.

_lz4版本漏洞
./logstash-8.15.2/vendor/bundle/jruby/3.1.0/gems/logstash-integration-kafka-11.5.0-java/vendor/jar-dependencies/org/lz4/lz4-java/1.8.0/lz4-java-1.8.0.jar

CVE-2024-47561 - Apache Avro Java SDK任意代码执行
./logstash-8.0.0/vendor/bundle/jruby/2.5.0/gems/logstash-integration-kafka-10.9.0-java/vendor/jar-dependencies/org/apache/avro/avro/1.9.2/avro-1.9.2.jar

Provide logs (if relevant):