Critical Java deserialization flaws in unspecified products permit security filter bypasses and unauthorized execution of static initializers.

This vulnerability comprises two distinct issues: ZDRES-232, which bypasses ObjectInputStream filters via java.lang.reflect.Proxy, and ZDRES-233, which triggers static initializers (<clinit>) of allow-listed classes. These vulnerabilities affect Java applications that perform insecure deserialization of untrusted data.

With a CVSS score of 9.8, this vulnerability poses a significant risk to the integrity and availability of Java-based applications. Exploitation can lead to bypasses of security controls and the execution of arbitrary code via side-effecting static initializers, potentially resulting in full system compromise.

Immediate Action: Identify all Java-based applications in the environment and apply the latest security patches provided by the software vendor.

Proactive Monitoring: Monitor application logs for deserialization errors or unexpected class loading activity that may indicate exploitation attempts.

Compensating Controls: Implement strict deserialization filters (JEP 290/380) to limit the classes allowed for deserialization, reducing the attack surface.

Public Exploit Available: false

Organizations should consult their software vendors immediately to determine if their specific Java products are impacted. Given the severity of deserialization flaws, applying vendor-supplied patches as soon as they become available is mandatory to maintain security posture.