Oracle Patches 3-Year-Old Java Deserialization Flaw in April Update

[InfoSec News <alerts () infosecnews org>]

https://www.eweek.com/security/oracle-patches-3-year-old-java-deserialization-flaw-in-april-update

By Sean Michael Kerner
eWEEK.com
April 18, 2019

Oracle released its latest quarterly Critical Patch Update on April 17, fixing 
297 vulnerabilities spread across its software portfolio.

The vulnerabilities patched in the update vary in severity, with 53 of the 
flaws getting a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or 
more, denoting the most critical issues. Not all of the vulnerabilities in the 
patch set are entirely new either, with one being a 3-year-old flaw in a Java 
library that is only now making its way into patches for affected products. The 
need to patch flaws both old and new is one that Oracle and security experts 
alike regularly emphasize.

"Oracle continues to periodically receive reports of attempts to maliciously 
exploit vulnerabilities for which Oracle has already released fixes," Oracle 
stated in its advisory. "In some instances, it has been reported that attackers 
have been successful because targeted customers had failed to apply available 
Oracle patches."

Among the most well-known instances of an unpatched issue leading to 
exploitation is the 2017 breach of Equifax, in which the Apache Struts 
component, which is part of multiple Oracle applications, was not patched. 
Somewhat coincidentally, among the most impactful flaws patched in the new 
April CPU is one belonging to a similar bug class as the flaw that impacted 
Equifax.

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_