In Apache Batik 1.x prior to 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache batik |
||
debian debian linux 8.0 |
||
debian debian linux 7.0 |
||
debian debian linux 9.0 |
||
canonical ubuntu linux 14.04 |
||
oracle jd edwards enterpriseone tools 9.2 |
||
oracle fusion middleware mapviewer 12.2.1.2 |
||
oracle enterprise repository 12.1.3.0.0 |
||
oracle business intelligence 11.1.1.9.0 |
||
oracle enterprise repository 11.1.1.7.0 |
||
oracle business intelligence 11.1.1.7.0 |
||
oracle retail back office 13.4 |
||
oracle retail back office 14.1 |
||
oracle retail back office 13.3 |
||
oracle business intelligence 12.2.1.3.0 |
||
oracle communications diameter signaling router |
||
oracle retail order broker 5.1 |
||
oracle retail order broker 5.2 |
||
oracle retail order broker 15.0 |
||
oracle retail order broker 16.0 |
||
oracle insurance calculation engine 10.2.1 |
||
oracle insurance calculation engine 10.1.1 |
||
oracle retail returns management 14.1 |
||
oracle retail central office 14.1 |
||
oracle communications webrtc session controller |
||
oracle retail point-of-service 14.1 |
||
oracle retail point-of-service 14.0 |
||
oracle retail point-of-service 13.4 |
||
oracle fusion middleware mapviewer 12.2.1.3 |
||
oracle financial services analytical applications infrastructure |
||
oracle data integrator 12.2.1.3.0 |
||
oracle business intelligence 12.2.1.4.0 |
||
oracle instantis enterprisetrack 17.1 |
||
oracle instantis enterprisetrack 17.2 |
||
oracle instantis enterprisetrack 17.3 |
||
oracle retail integration bus 17.0 |
||
oracle insurance policy administration j2ee 10.0 |
||
oracle insurance policy administration j2ee 10.2 |
||
oracle retail back office 14 |
||
oracle communications metasolv solution 6.3.0 |
Out of 284 flaws, 33 are rated critical. Big Red admins have big patches ahead Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then
Oracle admins, here's your first critical patch advisory for 2019, and it's a doozy: a total of 284 vulnerabilities patched across Big Red's product range, and 33 of them are rated “critical”. We hope your support contracts are up-to-date to receive these fixes. The full list is here, and with so much to choose from, The Register will work through the top-rated bugs. Oracle Communications Applications (OCA) is home to nine of the vulnerabilities in various components: Oracle E-Business' Perf...