Page Information

Title:	SER12-J. Prevent deserialization of untrusted data
Author:	Will Klieber	Nov 11, 2015
Last Changed by:	Michal Rozenau	Jan 10, 2023
Tiny Link: (useful for email)	https://wiki.sei.cmu.edu/confluence/x/2DVGBQ
Export As:	Word · PDF

SEI CERT Oracle Coding Standard for Java (2)     Page: SER11-J. Prevent overwriting of externalizable objects     Page: SEC58-J. Deserialization methods should not perform potentially dangerous operations

Parent Page     Page: Rule 14. Serialization (SER)

• ser
• rule

Time	Editor
Jan 10, 2023 06:39	Michal Rozenau	View Changes
Parasoft Jtest 2022.2
Aug 06, 2021 09:33	Jon O'Donnell	View Changes
Nov 16, 2017 14:43	Will Snavely	View Changes
Sep 16, 2016 15:55	David Svoboda	View Changes
Sep 16, 2016 14:43	David Svoboda

External Links (14)
    https://tersesystems.com/2015/11/08/closing-the-open-door-o…
    https://www.securecoding.cert.org/confluence/display/java/O…
    cwe.mitre.org/data/definitions/502.html
    cwe.mitre.org/
    https://www.securecoding.cert.org/confluence/display/java/R…
    www.ibm.com/developerworks/library/se-lookahead/
    www.kb.cert.org/vuls/id/576313
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-050…
    https://docs.oracle.com/javase/8/docs/api/java/io/Serializa…
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    https://github.com/frohoff/ysoserial
    foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-…
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…

SEI CERT Oracle Coding Standard for Java (6)     Page: Parasoft     Page: SER02-J. Sign then seal objects before sending them outside a trust boundary     Page: Parasoft_V     Page: SEC58-J. Deserialization methods should not perform potentially dangerous operations     Page: CodeSonar_V     Home page: SEI CERT Oracle Coding Standard for Java

SEI CERT C Coding Standard (1)     Page: CodeSonar