Over a million developers have joined DZone.

This Java Vulnerability Makes Heartbleed Look Tame

DZone's Guide to

This Java Vulnerability Makes Heartbleed Look Tame

Find out what the big deal is with the Java serialization security flaw that the community is buzzing about.

· Java Zone ·
Free Resource

Build vs Buy a Data Quality Solution: Which is Best for You? Gain insights on a hybrid approach. Download white paper now!

I've been receiving questions from some of you to provide a bit more detail on why the Java Serialization vulnerability is so critical to fix.

Why is This Such a Big Deal? 

It’s a big deal because many enterprise applications are vulnerable. It’s not fully automated, but it’s still pretty easy to find and exploit this problem in applications.  And it allows the attacker to completely take over the entire server the application is hosted on.  They could steal or corrupt any data accessible from that server, steal the application's code, change the application, or even use that server as a launching point for further attacks now that they are inside the data center.

What Exactly is the Vulnerability All About?

Programmers use “serialization" to transfer complex data structures between computers. It’s an easy way to take a whole bunch of “objects” and turn them into a single data stream that can be “deserialized” at the other end.   In this attack, special objects are serialized that cause the standard Java deserialization engine to run code of the attacker’s choosing.  It’s not exactly a problem in Java, or in any particular libraries.  It’s just a powerful functionality that organizations shouldn’t expose to untrusted users.

What Are the Implications For Enterprises?

They should immediately find all the places where they are using deserialization on untrusted data, as there is a high likelihood that it is exploitable.  Searching their code is only a partial solution, because frameworks and libraries that they are including in their applications might also create this exposure.

How Can it be Mitigated?

The deserialization vulnerability is tricky to mitigate because it can occur anywhere in your stack — your app server, framework, libraries, or custom code.  The best way to solve this problem is to use something called Runtime Application Self-Protection (RASP).  You add an agent to your Java environment that hardens everywhere that uses the deserialization engine and prevents it from being exploited.

Build vs Buy a Data Quality Solution: Which is Best for You? Maintaining high quality data is essential for operational efficiency, meaningful analytics and good long-term customer relationships. But, when dealing with multiple sources of data, data quality becomes complex, so you need to know when you should build a custom data quality tools effort over canned solutions. Download our whitepaper for more insights into a hybrid approach.

java ,serialization ,security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}