Foojay Today

Deserialization Exploits in Java: Why Should I care?

July 14, 2022

Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well.

I recently gave a talk about this during Devoxx UK, the largest and most prestigious Java community conference in the United Kingdom. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. This was loosely based on my blog post: “Serialization and deserialization in Java: explaining the Java deserialize vulnerability”.

Of course, the recent Log4j security problems with the Log4Shell vulnerability is part of this as well. I explained how Log4shell can be a kick-off point for a deserialization gadget chain where the sink gadget performs an arbitrary code execution.

But also with types of deserialization like JSON, XML, and YAML you get into trouble. I already briefly explained it in the blogpost Java JSON deserialization problems with the Jackson ObjectMapper, but in this talk, I dig in a bit deeper and demo the actual consequences.

The most important part is of course how to avoid these issues in your own application. This talk shows some great pointers on how to mitigate these problems in your own applications, this also includes the new features in Java 17 like JEP 415.

I honestly believe that this session gives a better understanding of the problem space and be able to take action in your code to prevent it.

Related Articles

View All
  • Java: Where the Wild Code Isn’t

    In the last several years, the OpenJDK community has made Java significantly safer for users and developers while at the same time making it easier to design, build, and run applications quickly.

    Java users should incorporate several practices to take full benefit from the defenses of the modern JRE.

    Read More
    Avatar photo
    Oct 17, 2021
  • Are Java Security Updates Important?

    Recently, I was in discussion with a Java user at a bank about the possibilities of using Azul Platform Core to run a range of applications. 

    Security is a very serious concern when sensitive data is in use, and potentially huge sums of money could be stolen.

    I was, therefore, somewhat taken aback when the user said, “We’re not worried about installing Java updates as our core banking services are behind a firewall.”

    Read More
    Aug 03, 2021
  • 7 Reasons Why, After 26 Years, Java Still Makes Sense!

    After many discussions with Java developers, combined with my personal experiences with the Java community and platform, here are the key reasons why Java developers love Java after all these years!

    Read More
    Mar 15, 2022

Author(s)

  • Brian Vermeer

    Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an ... Learn more

Comments (0)

Your email address will not be published. Required fields are marked *

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Save my name, email, and website in this browser for the next time I comment.

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard