Page Information

Title:	SEC58-J. Deserialization methods should not perform potentially dangerous operations
Author:	Will Klieber	Nov 11, 2015
Last Changed by:	Will Snavely	Nov 16, 2017
Tiny Link: (useful for email)	https://wiki.sei.cmu.edu/confluence/x/1DVGBQ
Export As:	Word · PDF

SEI CERT Oracle Coding Standard for Java (2)     Page: SER13-J. Deserialization methods should not perform potentially dangerous operations     Page: SER12-J. Prevent deserialization of untrusted data

Parent Page     Page: Rec. 15. Platform Security (SEC)

• sec
• recommendation

Time	Editor
Nov 16, 2017 14:43	Will Snavely	View Changes
Sep 16, 2016 15:50	David Svoboda	View Changes
Sep 16, 2016 14:14	David Svoboda	View Changes
intro wordsmithing
Sep 16, 2016 14:09	David Svoboda	View Changes
code example wordsmithing
Sep 16, 2016 13:44	David Svoboda
wordsmithing

External Links (13)
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-289…
    https://docs.oracle.com/javase/8/docs/api/java/io/Serializa…
    https://www.securecoding.cert.org/confluence/display/java/R…
    https://www.securecoding.cert.org/confluence/display/java/R…
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    cwe.mitre.org/data/definitions/502.html
    cwe.mitre.org/
    www.kb.cert.org/vuls/id/576313
    foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-…
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-325…
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    https://github.com/frohoff/ysoserial

SEI CERT Oracle Coding Standard for Java (3)     Home page: SEI CERT Oracle Coding Standard for Java     Page: SER07-J. Do not use the default serialized form for classes with implementation-defined invariants     Page: SER12-J. Prevent deserialization of untrusted data