Friends of OpenJDK Today

Deserialization Exploits in Java: Why Should I Care?

July 14, 2022

Author(s)

  • Brian Vermeer

    Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an ... Learn more

Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well.

I recently gave a talk about this during Devoxx UK, the largest and most prestigious Java community conference in the United Kingdom. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. This was loosely based on my blog post: “Serialization and deserialization in Java: explaining the Java deserialize vulnerability”.

Of course, the recent Log4j security problems with the Log4Shell vulnerability is part of this as well. I explained how Log4shell can be a kick-off point for a deserialization gadget chain where the sink gadget performs an arbitrary code execution.

But also with types of deserialization like JSON, XML, and YAML you get into trouble. I already briefly explained it in the blogpost Java JSON deserialization problems with the Jackson ObjectMapper, but in this talk, I dig in a bit deeper and demo the actual consequences.

The most important part is of course how to avoid these issues in your own application. This talk shows some great pointers on how to mitigate these problems in your own applications, this also includes the new features in Java 17 like JEP 415.

I honestly believe that this session gives a better understanding of the problem space and be able to take action in your code to prevent it.

Related Articles

View All

Author(s)

  • Brian Vermeer

    Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an ... Learn more

Comments (0)

Your email address will not be published. Required fields are marked *

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Save my name, email, and website in this browser for the next time I comment.

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard