...
In this noncompliant code example [Bloch 2005], a class with singleton semantics uses the default serialized form, which fails to enforce any implementation-defined invariants. Consequently, malicious code can create a second instance even though the class should have only a single instance. For purposes of this example, we assume that the class contains only nonsensitive data.
...
Note that this compliant solution is insufficient to protect sensitive data. See rule SER03-J. Do not serialize unencrypted , sensitive data for additional information.
...
Tool | Version | Checker | Description |
|---|---|---|---|
| Coverity | 7.5 | UNSAFE_DESERIALIZATION | Implemented |
Related Guidelines
CWE-502, "Deserialization of Untrusted Data" | |
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 5-3. View deserialization the same as object construction |
Bibliography
[API 2006] | Class |
Item 75, Consider using a custom serialized form | |
| |
Chapter 11, Object Serialization, Validation | |
Antipattern 8. Believing deserialisation is unrelated to construction | |
Metasploit: Java AtomicReferenceArray Type Violation Vulnerability |
...