Aws Advanced Jdbc Wrapper
Monthly
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.