The Java deserialization vulnerability have affected numerous Software-as-a-Service (SaaS) providers, which susceptibility is by deserialization-based remote control execution.
Java object is serializable if any of its superclasses implements the java.io.Serializable interface or its subinterface, java.io.Externalizable, while serialization means the conversion of its state to a byte stream so that it can be reverted back into a copy of the object.
Now, Oracle on accounts of the deserialization vulnerability plans to drop Java serialization which has really been the Achilles heel in SaaS platform security. According to Mark Reinhold, chief architect of the Java platform group at Oracle, the removal of serialization is part of Project Amber, which focuses on productivity-oriented Java language features.
There's a new framework been implemented to replace the current serialization technology, and it will support the Java version of data classes.
The framework would also support graph of records, with which developers could plug in a serialization engine of their choice in various formats such as JSON or XML, and it will enable serialization of records in a more secure environment.
Albeit, the deserialization vulnerability discovered in the Jackson-Databind module (CVE-2017–7525) in June 2017 was patched by creating a blacklist, but it doesn’t accept certain Java classes.
For unsafe serialization data streams to be accepted, there is a way to filter the classes to provide a defense mechanism against the serialization’s security weaknesses. Oracle received many reports about application servers running unprotected ports with the serialization streams, which is more reason the filtering capability has been developed.
Oracle to axe serialization based on Java Deserialization vulnerability
The Java deserialization vulnerability have affected numerous Software-as-a-Service (SaaS) providers, which susceptibility is by deserialization-based remote control execution.
Java object is serializable if any of its superclasses implements the java.io.Serializable interface or its subinterface, java.io.Externalizable, while serialization means the conversion of its state to a byte stream so that it can be reverted back into a copy of the object.
Now, Oracle on accounts of the deserialization vulnerability plans to drop Java serialization which has really been the Achilles heel in SaaS platform security. According to Mark Reinhold, chief architect of the Java platform group at Oracle, the removal of serialization is part of Project Amber, which focuses on productivity-oriented Java language features.
There's a new framework been implemented to replace the current serialization technology, and it will support the Java version of data classes.
The framework would also support graph of records, with which developers could plug in a serialization engine of their choice in various formats such as JSON or XML, and it will enable serialization of records in a more secure environment.
Albeit, the deserialization vulnerability discovered in the Jackson-Databind module (CVE-2017–7525) in June 2017 was patched by creating a blacklist, but it doesn’t accept certain Java classes.
For unsafe serialization data streams to be accepted, there is a way to filter the classes to provide a defense mechanism against the serialization’s security weaknesses. Oracle received many reports about application servers running unprotected ports with the serialization streams, which is more reason the filtering capability has been developed.
No comments