Threat actors could leverage a critical Apache Avro Java Software Development Kit vulnerability, tracked as CVE-2024-47561, to facilitate arbitrary code execution in Java applications, The Hacker News reports.
The issue, which was identified and reported by Databricks security team member Kostya Kortchinsky, affects all Apache Avro instances up to version 1.11.3, according to Qualys Manager of Threat Research Mayuresh Dani, who also noted potential abuse of the bug through Kafka.
"Since Apache Avro is an open-source project, it is used by many organizations. Based on publicly available data, a majority of these organizations are located in the U.S. This definitely has a lot of security implications if left unpatched, unsupervised, and unprotected," said Dani.
Organizations with vulnerable Apache Avro implementations have been urged by the project maintainers to immediately implement versions 1.11.4 or 1.12.0 of the SDK to remediate the issue.