...
Whether a violation of this rule is exploitable depends on what classes are on the JVM's classpath. (Note that this is a property of the execution environment, not of the code being audited.) In the worst case, it could lead to remote execution of arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| SER12-J | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| CodeSonar |
| JAVA.CLASS.SER.ND | Serialization Not Disabled (Java) | ||||||
| Parasoft Jtest |
| CERT.SER12.VOBD | Validate objects before deserialization | ||||||
| Useful for developing exploits that detect violation of this rule |
It should not be difficult to write a static analysis to check for deserialization that fails to override resolveClass() to compare against a whitelist.
Related Guidelines
Bibliography
[API 2014] |
| [Terse 2015] | Terse Systems, Closing the Open Door of Java Object Serialization, Nov 8, 2015 |