Deserialization of Untrusted Data (Java Object Deserialization)
Description
This vulnerability occurs when an application deserializes (reconstructs objects from data) user-controlled input without proper validation. Java serialization converts objects into byte streams for storage or transmission, and deserialization reverses this process. When untrusted data is deserialized, attackers can craft malicious serialized objects that execute arbitrary code during the reconstruction process. This application has been identified as performing Java object deserialization on user-supplied data, creating a critical security risk.
Remediation
Eliminate the use of Java object deserialization on untrusted data. Implement the following remediation steps:
1. Replace native Java serialization with safer data formats such as JSON or XML, using libraries like Jackson or Gson that do not execute code during parsing.
2. If deserialization is unavoidable, implement strict input validation using a whitelist approach:
// Implement ObjectInputFilter (Java 9+)
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
"com.yourcompany.safe.Class1;com.yourcompany.safe.Class2;!*"
);
ObjectInputStream ois = new ObjectInputStream(inputStream);
ois.setObjectInputFilter(filter);3. Use look-ahead deserialization to validate class types before full deserialization.
4. Apply the principle of least privilege to the application runtime environment to limit the impact of potential exploitation.
5. Monitor and log all deserialization activities for security analysis and incident response.