Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well.
I recently gave a talk about this during Devoxx UK, the largest and most prestigious Java community conference in the United Kingdom. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. This was loosely based on my blog post: “Serialization and deserialization in Java: explaining the Java deserialize vulnerability”.
Of course, the recent Log4j security problems with the Log4Shell vulnerability is part of this as well. I explained how Log4shell can be a kick-off point for a deserialization gadget chain where the sink gadget performs an arbitrary code execution.
But also with types of deserialization like JSON, XML, and YAML you get into trouble. I already briefly explained it in the blogpost Java JSON deserialization problems with the Jackson ObjectMapper, but in this talk, I dig in a bit deeper and demo the actual consequences.
The most important part is of course how to avoid these issues in your own application. This talk shows some great pointers on how to mitigate these problems in your own applications, this also includes the new features in Java 17 like JEP 415.
I honestly believe that this session gives a better understanding of the problem space and be able to take action in your code to prevent it.