My Oracle Support Banner

Java Deserialization Vulnerability Detected Message Returned on Security Check of OAG (Doc ID 2731831.1)

Last updated on DECEMBER 01, 2020

Applies to:

Oracle API Gateway - Version 11.1.2.4.0 and later
Information in this document applies to any platform.

Goal

It has been determined that a security scan of the OAG product returns the following vulnerabilty:

Title: Java Deserialization Vulnerability Detected
 
Severity Level: 5
Vulnerability Type: Confirmed Vulnerability
Discovery Method: Remote Only
QID: 11837
Category: CGI
 
Threat: The host runs a Java application that suffers from Java Deserialization vulnerability. The application accepts serialized objects, however it does not validate or check untrusted input before deserializing it.

Impact: An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary Java code on the system.
 
This was determined to be found on the CacheManager process running on the system.

How can this vulnerability be avoided?
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.