...
Serialization can be used maliciously, for example, to return multiple instances of a singleton class object. In this noncompliant code example (based on [Bloch 2005]), a subclass SensitiveClass inadvertently becomes serializable because it extends the java.lang.Number class, which implements Serializable.
...
CWE-499. Serializable class containing sensitive data | |
| CWE-502. Deserialization of untrusted data |
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 5-2. Guard sensitive data during serialization |
Bibliography
Puzzle 83. Dyslexic monotheism | |
Item 1. Enforce the singleton property with a private constructor | |
| |
[JLS 2005] | |
Section 2.4, Serialization | |
[Sun 2006] | Serialization Specification, A.4, Preventing Serialization of Sensitive Data |
...
SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary Rule 14: Serialization (SER)