Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2020.2

...

Using the default serialized form for any class with implementation-defined invariants may result in the malicious tampering of class invariants.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER07-J

Medium

Probable

High

P4

L3

Automated Detection

Tool
Version
Checker
Description
Coverity7.5UNSAFE_DESERIALIZATIONImplemented
Parasoft Jtest
Include Page
java:
Parasoft_V
java:
Parasoft_V
SERIAL.RRSC
Implemented
Define a "readResolve" method for all instances of Serializable types

Related Guidelines

MITRE CWE

CWE-502, "Deserialization of Untrusted Data"

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 8-3 / SERIAL-3: View deserialization the same as object construction

Bibliography

[API 2014]

Class Object
Class Hashtable

[Bloch 2008]

Item 75, "Consider Using a Custom Serialized Form"

[Greanier 2000]

 


[Harold 2006]

Chapter 11, "Object Serialization"

[Hawtin 2008]

Antipattern 8, "Believing Deserialisation Is Unrelated to Construction"

[Rapid7 2014]

Metasploit: Java AtomicReferenceArray Type Violation Vulnerability

 


...