Warning over Java libraries and deserialization security weaknesses

2022-08-22 20:00

Boffins at universities in France, Germany, Luxembourg, and Sweden took a deep dive into known Java deserialization vulnerabilities, and have now resurfaced with their findings.

Log4Shell, the remote code execution flaw affecting the Apache Log4j logging library was made possible by Java deserialization.

In November 2016, a ransomware attack compromised more than two thousand computers run by the San Francisco Municipal Transportation Agency via an Apache Commons Collections Deserialization Vulnerability.

The entry point for the 2017 Equifax hack that resulted in the theft of personal data from 147.7 million Americans came from a Java deserialization flaw in Apache Struts.

Last July, there was an Atlassian Jira vulnerability in which an attacker capable of connecting to an Ehcache RMI network service "Could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability."

In a paper titled, "An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities," computer scientists Imen Sayar, Alexandre Bartel, Eric Bodden, and Yves Le Traon describe how they examined software libraries targeted by 19 publicly known Java deserialization RCE exploits to understand how gadgets - exploitable code constructs - get introduced into Java libraries and how attempts to get rid of gadgets sometimes fail.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/22/java_library_flaws/

#java #libraries #security