Original link: Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications / The Hacker Newa.
Apache Avro is a binary serialization framework like Google Protobuf and the data part of Thrift.
The vulnerability is in deserialization. It is fixed in versions 1.11.4+ and 1.12.0+.
Many may not even have heard of Avro, but it is quite popular with big data and the US financial sector.