...
Noncompliant Code Example (CVE-2008-5353: ZoneInfo)
Wiki Markup sun.util.Calendar.ZoneInfo}} class, which, being serializable is deserialized by the {{readObject()}} method of the {{ObjectInputStream}} class.
The default security model of an applet does not allow access to sun.util.calendar.ZoneInfo because applets cannot be permitted to invoke any method from any class within the sun package. As a result, prior to JDK 1.6 u11, the acceptable method for an unsigned applet to deserialize a ZoneInfo object was to execute the call from a privileged context, such as a doPrivileged() block. This constitutes a vulnerability because there is no guaranteed method of knowing whether the serialized stream contains a bona fide ZoneInfo object rather than a malicious serializable class. The vulnerable code casts the malicious object to the ZoneInfo type, which typically causes a ClassCastException if the actual deserialized class is not a ZoneInfo object. This exception, however, is of little consequence because it is possible to store a reference to the newly created object in a static context so that the garbage collector cannot act upon it.
...
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="368a90a2-bfcb-4c85-9378-b2c146aa4046"><ac:plain-text-body><! [CDATA[ [[API 2006AA. References#API 06] ] |
| ]]></ac:plain-text-body></ac:structured-macro> | <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="42649c22-25ce-4a56-a70a-fa1ff109cfb7"><ac:plain-text-body><![CDATA[ |
[ [CVE 2011AA. References#CVE 08] ] | [CVE-2008-5353 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353 ] ]]></ac:plain-text-body></ac:structured-macro> |
...