Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which, upon deserialization, can yield objects that the attacker does not have permissions to construct. Construction One example of this is the construction of a sensitive object, such as a custom class loader is one example . (See guidelines SEC12-J. Do not grant untrusted code access to classes existing in forbidden packages and SEC13-J. Do not allow unauthorized construction of classes in forbidden packages.) .
Noncompliant Code Example
...
This vulnerability was fixed in JDK v1.6 u11 by defining a new AccessControlContext INSTANCE, with a new ProtectionDomain. The ProtectionDomain encapsulated a RuntimePermission called accessClassInPackage.sun.util.calendar. Consequently, the code was granted the minimal set of permissions required to access the sun.util.calendar class. This whitelisting approach guaranteed that a security exception would be thrown in all other cases of invalid access. Refer to guideline SEC12-J. Do not grant untrusted code access to classes existing in forbidden packages for more details on allowing or disallowing access to packages.
...
The two-argument form of doPrivileged() allows stripping all permissions other than the ones specified in the ProtectionDomain. Refer to guideline SEC00-J. Follow the principle of least privilege for more details on using the two-argument doPrivileged() method.
...
Deserializing objects from a privileged context can result in arbitrary code execution.
Rule Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SER09-J | high | likely | medium | P18 | L1 |
...