Over a million developers have joined DZone.

This Java Vulnerability Makes Heartbleed Look Tame

Find out what the big deal is with the Java serialization security flaw that the community is buzzing about.

· Java Zone

What every Java engineer should know about microservices: Reactive Microservices Architecture.  Brought to you in partnership with Lightbend.

I've been receiving questions from some of you to provide a bit more detail on why the Java Serialization vulnerability is so critical to fix.

Why is This Such a Big Deal? 

It’s a big deal because many enterprise applications are vulnerable. It’s not fully automated, but it’s still pretty easy to find and exploit this problem in applications.  And it allows the attacker to completely take over the entire server the application is hosted on.  They could steal or corrupt any data accessible from that server, steal the application's code, change the application, or even use that server as a launching point for further attacks now that they are inside the data center.

What Exactly is the Vulnerability All About?

Programmers use “serialization" to transfer complex data structures between computers. It’s an easy way to take a whole bunch of “objects” and turn them into a single data stream that can be “deserialized” at the other end.   In this attack, special objects are serialized that cause the standard Java deserialization engine to run code of the attacker’s choosing.  It’s not exactly a problem in Java, or in any particular libraries.  It’s just a powerful functionality that organizations shouldn’t expose to untrusted users.

What Are the Implications For Enterprises?

They should immediately find all the places where they are using deserialization on untrusted data, as there is a high likelihood that it is exploitable.  Searching their code is only a partial solution, because frameworks and libraries that they are including in their applications might also create this exposure.

How Can it be Mitigated?

The deserialization vulnerability is tricky to mitigate because it can occur anywhere in your stack — your app server, framework, libraries, or custom code.  The best way to solve this problem is to use something called Runtime Application Self-Protection (RASP).  You add an agent to your Java environment that hardens everywhere that uses the deserialization engine and prevents it from being exploited.

Microservices for Java, explained. Revitalize your legacy systems (and your career) with Reactive Microservices Architecture, a free O'Reilly book. Brought to you in partnership with Lightbend.

Topics:
java ,serialization ,security

Published at DZone with permission of Jeff Williams, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}