Community
Select to view content in your preferred language

Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

1555
5
05-09-2025 03:29 PM
Labels (1)
Labels
DEWright_CA
by
Frequent Contributor
‎05-09-2025 03:29 PM

@RandallWilliams ; the Trust Site is showing this CVE as "Esri Assessment & Response:
Component not present" ; but Tenable is scanning the jar files in the Pro installation folder and returning this:

Plugin Output:

  Path              : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-column-1.13.1.jar

  Installed version : 1.13.1

  Fixed version     : 1.15.1

  Path              : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-common-1.13.1.jar

  Installed version : 1.13.1

  Fixed version     : 1.15.1

  Path              : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-encoding-1.13.1.jar

  Installed version : 1.13.1

  Fixed version     : 1.15.1

  Path              : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-hadoop-1.13.1.jar

  Installed version : 1.13.1

  Fixed version     : 1.15.1

 

0 Kudos
5 Replies
MarcoBoeringa
by MVP Alum
MVP Alum
‎05-10-2025 10:49 AM

The CVE seems to concern only one specific library regarding Avro format, which doesn't seem present in the Pro install (see my listing below which slightly differs from yours but does not show a file name with 'avro'). These found modules are different ones, and as far as I can tell not involved in the CVE. I guess the affected module is called simply 'parquet-avro-<VERSION>.jar', but I didn't see the actual full filename listed in the CVE.

 

MarcoBoeringa_0-1746899075166.png

 

RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎05-12-2025 07:33 AM

@MarcoBoeringa is correct and Tenable is providing a false positive. We do not provide the parquet-avro module. Tenable chooses to err on the side of false positives over false negatives. 

"Esri Assessment & Response:
Component not present" 

Is the correct response. 

DEWright_CA
by
Frequent Contributor
‎05-12-2025 03:12 PM

Thank you for the additional detail; I have forwarded this thread to my security team.

0 Kudos
TKSHEP
by
Frequent Contributor
a week ago

We got it on server, do you have an update for this?

Description: The version of Apache Parquet on the remote host is prior to 1.15.1. It is, therefore, affected by a remote code execution vulnerability:

  • Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. (CVE-2025-30065)


**************
Plugin Title: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065)

**************
Plugin Output:

  • Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-hadoop-1.13.1.jar
  • Installed version : 1.13.1
  • Fixed version : 1.15.1
  • Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-encoding-1.13.1.jar
  • Installed version : 1.13.1
  • Fixed version : 1.15.1
  • Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-column-1.13.1.jar
  • Installed version : 1.13.1
  • Fixed version : 1.15.1
  • Path : C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\parquet-common-1.13.1.jar
  • Installed version : 1.13.1
  • Fixed version : 1.15.1
    **************
    CVE(s): CVE-2025-30065
0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
a week ago

Hi,

I'd argue that there is a bug in your tooling. 

This finding as against the parquet-avro module, which is not in the list of JARS the tool you've provided.