In 2017, around 60 remote code execution (RCE) deserialization vulnerabilities were reported, not including deserialization issues that only impact the availability of a system (Denial-of-Service), according to cvedetails.com. To date, in 2018, more than 80 such vulnerabilities have been reported. In the past, WebLogic, Oracle’s Enterprise Java application server, has been extensively patched against deserialization issues.
The latest October 2018 Oracle Critical Patch Update (CPU) fixes another series of deserialization issues in WebLogic.
Because of this, I am often asked why Java deserialization vulnerabilities are being discovered so frequently? Is there a fun…
DZone Security Zone