through application configuration changes or through controlled input when a user clicks on a browser link. The update describes the vulnerability in the following section. Impact VU#205968: Insecure Deserialization when parsing JSON data: There is insecure deserialization of JSON data in the Java VM that can result in the execution of arbitrary code. This issue can be exploited when deserializing untrusted data (e.g., data sent in a request to a service) into a class that is used at runtime. Exploitation of this issue results in code execution under the context of the application that uses the class. Note: This issue can also be exploited through web services and application configuration changes. For example, an attacker could provide a maliciously-crafted input that is deserialized via a service. CVE-2018-3337: Web Application Security Vulnerabilities: There are currently no known vulnerabilities that have been identified with this severity. Oracle has provided the following resolution steps: Update to version 17.1.3.3 of Oracle Java SE or version 17.1.3.5 of Oracle Java SE Embedded.

Apply the patch provided in https://www.oracle.com/technetwork/topics/security/javacpt-20190411-114605.html.

Apply the fix recommended in KB2542115. Solution REFERENCE: Oracle has released an update to correct these vulnerabilities. This Critical patch update (

Oracle has provided the following resolution steps:

Update to version 17.1.3.3 of Oracle Java SE or version 17.1.3.5 of Oracle Java SE Embedded.

Apply the patch provided in https://www.oracle.com/technetwork/topics/security/javacpt-20190411-114605.html.

Apply the fix recommended in KB2542115

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:51:00 UTC

References