Surveying Five years of Java Deserialization CVE’s

The Java programming language has been one of the most popular programming languages for years. Starting in 2015, a flaw in a core function of the Java language, deserialization, gained substantial attention in the security community. A large number of CVEs resulted from research about Java deserialization, enough to place deserialization vulnerabilities into 8th position on the 2017 OWASP Top 10 Application Security Risks. While Java is not the only language in which deserialization vulnerabilities occur, Java deserialization vulnerabilities have gained widespread attention in particular due to a number of factors. One factor is that Java is extremely common, as seen in the image below, especially among enterprise applications. Another factor is that deserialization vulnerabilities are often high-impact, commonly resulting in remote code execution. Lastly, it has historically been hard to detect whether a Java application is vulnerable to deserialization or not, in part because Java has many interconnected dependencies.

Read more on Erik Elbeih’s security research on Java Deserialization .

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.