SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 98

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Using the default serialized form for any class with implementation-defined invariants may result in the malicious tampering of class invariants.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

SER07-J

Medium

Probable

High

No

No

P4

L3

Automated Detection

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.CLASS.SER.ND

Serialization not disabled

Coverity7.5UNSAFE_DESERIALIZATIONImplemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.SER07.RRSCDefine a "readResolve" method for all instances of Serializable types

Related Guidelines

MITRE CWE

CWE-502, "Deserialization of Untrusted Data"

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 8-3 / SERIAL-3: View deserialization the same as object construction

Bibliography

[API 2014]

Class Object
Class Hashtable

[Bloch 2008]

Item 75, "Consider Using a Custom Serialized Form"

[Greanier 2000]

 


[Harold 2006]

Chapter 11, "Object Serialization"

[Hawtin 2008]

Antipattern 8, "Believing Deserialisation Is Unrelated to Construction"

[Rapid7 2014]

Metasploit: Java AtomicReferenceArray Type Violation Vulnerability

...


...

Image Modified Image Modified Image Modified