Surveying Five years of Java Deserialization CVE’s

The Java programming language has been one of the most popular programming languages for years. Starting in 2015, a flaw in a core function of the Java language, deserialization, gained substantial attention in the security community. A large number of CVEs resulted from research about Java deserialization, enough to place deserialization vulnerabilities into 8^th position on the 2017 OWASP Top 10 Application Security Risks. While Java is not the only language in which deserialization vulnerabilities occur, Java deserialization vulnerabilities have gained widespread attention in particular due to a number of factors. One factor is that Java is extremely common, as seen in the image below, especially among enterprise applications. Another factor is that deserialization vulnerabilities are often high-impact, commonly resulting in remote code execution. Lastly, it has historically been hard to detect whether a Java application is vulnerable to deserialization or not, in part because Java has many interconnected dependencies.

Read more on Erik Elbeih’s security research on Java Deserialization .