...
Using the default serialized form for any class with implementation-defined invariants may result in the malicious tampering of class invariants.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SER07-J | Medium | Probable | High | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.CLASS.SER.ND | Serialization Not Disabled (Java) | ||||||
Coverity | 7.5 | UNSAFE_DESERIALIZATION | Implemented | ||||||
Parasoft Jtest |
| CERT.SER07.RRSC | Define a "readResolve" method for all instances of Serializable types |
Related Guidelines
CWE-502, "Deserialization of Untrusted Data" | |
Guideline 8-3 / SERIAL-3: View deserialization the same as object construction |
Bibliography
[API 2014] | |
Item 75, "Consider Using a Custom Serialized Form" | |
Chapter 11, "Object Serialization" | |
Antipattern 8, "Believing Deserialisation Is Unrelated to Construction" | |
[Rapid7 2014] | Metasploit: Java AtomicReferenceArray Type Violation Vulnerability |
...
...