You are here

Java Deserialization Vulnerability

IDs: 
CVE-2015-4852
Keywords: 
java, serialization, deserialization
Description: 

Gabriel Lawrence and Chris Frohoff presented in January 2015 In their talk Marshalling Pickles - how deserializing objects will ruin your day [1,2] at AppSecCali2015 various security problems when applications accept serialized objects from untrusted source. In the meantime security researchers created exploits for Java Applications processing untrusted serialized Java Objects. There already exist tools [3] to wrap a user-specified shell command in a serialized Java object to attack Java applications with unsafe object deserialization with Apache Commons Collection in their class path. Other exploits [4] show that even standard JDK classes can be used to leverage similar attacks.

Resolution: 

Airlock WAF can protect vulnerable back-ends. Details how to protect such back-ends are described here.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration