SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

It is not unusual for Java code to deserialize data that comes from an untrusted source.  A serializable class can overload the method readObject(), which is called when an object of that class is being deserialized.  This method (as well as similar methods such as readResolve and readObjectNoData) should treat the serialized data as potentially malicious, and it should not perform dangerous operations, nor should it set the stage for such operations to be performed later in the deserialization process.  For example, simply deserializing data should never invoke the method Runtime.exec().

 

Non-Compliant Code Example

 

 

Compliant Solution

 

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER13-J

High

LikelyHighP9L2

Automated Detection

Tool
Version
Checker
Description

ysoserial

  Useful for developing exploits that detect violation of this rule

 

Related Guidelines

MITRE CWE

CWE-502, Deserialization of Untrusted Data

Bibliography

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2894

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253

 

 

 

  • No labels