Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Whether a violation of this rule is exploitable depends on what classes are on the JVM's classpath.  (Note that this is a property of the execution environment, not of the code being audited.) In the worst case, it could lead to remote execution of arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER12-J

High

LikelyHighP9L2

Automated Detection

Tool
Version
Checker
Description

ysoserial

  
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.CLASS.SER.ND

Serialization Not Disabled (Java)

ysoserial



Useful for developing exploits that detect violation of this rule

It should not be difficult to write a static analysis to check for deserialization that fails to override resolveClass() to compare against a whitelist.

 Related Guidelines

MITRE CWE

CWE-502, Deserialization of Untrusted Data

Bibliography