topic Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro in ArcGIS Pro Questions

Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

DEWright_CA — Fri, 09 May 2025 22:29:35 GMT

@RandallWilliams ; the Trust Site is showing this CVE as "Esri Assessment & Response:
Component not present" ; but Tenable is scanning the jar files in the Pro installation folder and returning this:

Plugin Output:

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-column-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-common-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-encoding-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-hadoop-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

MarcoBoeringa — Sat, 10 May 2025 17:49:59 GMT

The CVE seems to concern only one specific library regarding Avro format, which doesn't seem present in the Pro install (see my listing below which slightly differs from yours but does not show a file name with 'avro'). These found modules are different ones, and as far as I can tell not involved in the CVE. I guess the affected module is called simply 'parquet-avro-<VERSION>.jar', but I didn't see the actual full filename listed in the CVE.

Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

RandallWilliams — Mon, 12 May 2025 14:33:39 GMT

@MarcoBoeringa is correct and Tenable is providing a false positive. We do not provide the parquet-avro module. Tenable chooses to err on the side of false positives over false negatives.

"Esri Assessment & Response:
Component not present"

Is the correct response.

Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

DEWright_CA — Mon, 12 May 2025 22:12:51 GMT

Thank you for the additional detail; I have forwarded this thread to my security team.

Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

TKSHEP — Mon, 17 Nov 2025 15:01:37 GMT

We got it on server, do you have an update for this?

Description: The version of Apache Parquet on the remote host is prior to 1.15.1. It is, therefore, affected by a remote code execution vulnerability:

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. (CVE-2025-30065)

**************
Plugin Title: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065)

**************
Plugin Output:

Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-hadoop-1.13.1.jar
Installed version : 1.13.1
Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-encoding-1.13.1.jar
Installed version : 1.13.1
Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-column-1.13.1.jar
Installed version : 1.13.1
Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-common-1.13.1.jar
Installed version : 1.13.1
Fixed version : 1.15.1
**************
CVE(s): CVE-2025-30065

Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

RandallWilliams — Mon, 17 Nov 2025 15:06:27 GMT

Hi,

I'd argue that there is a bug in your tooling.

This finding as against the parquet-avro module, which is not in the list of JARS the tool you've provided.