Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs
Oracle is one of the largest vendors in the enterprise IT market and the shorthand name of its flagship product, a relational database management system (RDBMS) that’s formally called Oracle Database.
Oracle plans to drop support for data serialization/deserialization from the main body of the Java language, according to Mark Reinhold, chief architect of the Java platform group at Oracle.
Serialization is the process of taking a data object and converting it into a stream of bytes (binary format), so it can be transported across a network or saved inside a database, only to be deserialized later and used in its original form.
Because of its convenience, a large number of high-level programming languages support the feature but nowhere has it been more of a headache than in Java, where it’s been at the heart of a constant stream of security flaws.
Reinhold: Serialization was a “horrible mistake”
Reinhold says the Java team is currently working on dropping serialization support for good from the language’s main body, but still provide developers with a plug-in system to support serialization operations if needed via a new framework.
There’s no set date or Java version when Oracle plans to drop serilization, Reinhold said.
But until Oracle does this, companies and project leads that don’t want a developer or a rogue module calling serialization/deserialization functions can prevent this via a “serialization filter” that was added in Java back in 2016, and which will block these operations altogether.
The serialization/deserialization security problem
Attacks via serialization/deserialization operations have been known for years, in a form or other, but they became everyone’s problem in early 2015 when two researchers — Chris Frohoff and Gabriel Lawrence — found a deserialization flaw in the Apache Commons Collection, a very popular Java application. Researchers from Foxglove Security expanded on the initial work in late 2015, showing how an attacker could use a deserialization flaw in Java applications where developers have incorrectly used the Apache Commons Collection library to handle deserialization operations.
The flaw rocked the Java ecosystem in 2016, as it also affected 70 other Java libraries, and was even used to compromise PayPal’s servers. Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products.
While Java serialization/deserialization security issues were known for a long time, the 2015 Java Apocalypse served as a wake-up call for many companies, and the Java community as a whole, who started paying more attention to how they serialize and later deserialize data.
Serialization bugs have been a big problem for Java
Reinhold told InfoWorld that serialization issues could be very easily responsible for a third or even a half of all known Java flaws.
His assessment is most likely correct. For example, Oracle’s January 2018 security updates fixed 237 vulnerabilities, of which 28.5% addressed unsafe deserialization operations.
The issue is also very widespread across companies. A ShiftLeft report revealed numerous serialization/deserialization flaws across a large number of SaaS vendor SDKs. While Oracle is addressing the issue in Java, serialization also affects other programming environments like .NET, Ruby, and others, where the issue remains dormant.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: