Oracle plans to drop support for data serialization/deserialization from the main body of the Java language, according to Mark Reinhold, chief architect of the Java platform group at Oracle.
Serialization is the process of taking a data object and converting it into a stream of bytes (binary format), so it can be transported across a network or saved inside a database, only to be deserialized later and used in its original form.
The products affected by this type of attack are multiple, since JAVA is the basis of many solutions. Within the database there are several areas vulnerable to this type of attacks, the most significant services being REST type. They are defined as (from the Oracle documentation);
Oracle REST Data Services (ORDS) makes it easy to develop modern REST interfaces for relational data in the Oracle Database, Oracle Database 12c JSON Document Store, and Oracle NoSQL Database. A mid-tier Java application, ORDS maps HTTP (S) verbs (GET, POST, PUT, DELETE, etc.) to database transactions and returns any results formatted using JSON.
HTH – Antonio NAVARRO