https://www.eweek.com/security/oracle-patches-3-year-old-java-deserialization-flaw-in-april-update
By Sean Michael Kerner
eWEEK.com
April 18, 2019
Oracle released its latest quarterly Critical Patch Update on April 17, fixing
297 vulnerabilities spread across its software portfolio.
The vulnerabilities patched in the update vary in severity, with 53 of the
flaws getting a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or
more, denoting the most critical issues. Not all of the vulnerabilities in the
patch set are entirely new either, with one being a 3-year-old flaw in a Java
library that is only now making its way into patches for affected products. The
need to patch flaws both old and new is one that Oracle and security experts
alike regularly emphasize.
"Oracle continues to periodically receive reports of attempts to maliciously
exploit vulnerabilities for which Oracle has already released fixes," Oracle
stated in its advisory. "In some instances, it has been reported that attackers
have been successful because targeted customers had failed to apply available
Oracle patches."
Among the most well-known instances of an unpatched issue leading to
exploitation is the 2017 breach of Equifax, in which the Apache Struts
component, which is part of multiple Oracle applications, was not patched.
Somewhat coincidentally, among the most impactful flaws patched in the new
April CPU is one belonging to a similar bug class as the flaw that impacted
Equifax.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
