Vulnerability Management, Application security

RCE in Java apps likely with critical Apache Avro SDK vulnerability

Share
Apache HTTP Server website (www.apache.org) displayed on smartphone

Threat actors could leverage a critical Apache Avro Java Software Development Kit vulnerability, tracked as CVE-2024-47561, to facilitate arbitrary code execution in Java applications, The Hacker News reports.

Such an issue, which was identified and reported by Databricks security team member Kostya Kortchinsky, affects all Apache Avro instances up to version 1.11.3, according to Qualys Manager of Threat Research Mayuresh Dani, who also noted potential abuse of the bug through Kafka. "Since Apache Avro is an open-source project, it is used by many organizations. Based on publicly available data, a majority of these organizations are located in the U.S. This definitely has a lot of security implications if left unpatched, unsupervised, and unprotected," said Dani. Organizations with vulnerable Apache Avro implementations have been urged by the project maintainers to immediately implement versions 1.11.4 or 1.12.0 of the SDK to remediate the issue.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.