Buzz
Serialization is the process of converting a data object into a byte stream (binary stream), allowing it to be transported over a network or stored within a database, and then deserialized and used in its original format.
Due to its convenience, most high-level programming languages support this feature. Notably, Java Serialization is at the center, the source of many security vulnerabilities.
Oracle plans to cease support for Java Serialization
Reinhold emphasizes that Serialization is 'a serious mistake'
Responding to InfoWorld, Reinhold stated that adding serialization support in 1997 was a significant mistake.
Reinhold also mentioned that the Java development team is currently attempting to reduce serialization support from core components of the programming language, but still provide developers with plug-in system support for serialization operations if needed in new frameworks.
No new Java release or version will be issued as Oracle's plan is to reduce serialization support, he added.
Until Oracle implements this, the company and project leads do not want developers or fake modules named serialization/deserialization functions to prevent this through a serialization filter added to Java in 2016 and will completely block these activities.
The security issue of serialization/deserialization
Attacks via serialization/deserialization operations have been known for many years, in one form or another, and became significant in early 2015 when two researchers, Chris Frohoff and Gabriel Lawrence, discovered a deserialization vulnerability in Apache Commons Collection, a popular Java application.
Researchers from Foxglove Security expanded their search for vulnerabilities in late 2015, demonstrating how attackers could exploit deserialization flaws in Java applications when developers inaccurately use the Apache Commons Collection library to handle deserialization operations.
Their experiments showed that attackers could upload malicious data within popular Java applications such as WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. This data would be serialized and stored within a database or memory, but when the application deserializes this data, the applications would also execute additional malicious code.
This vulnerability had a significant impact on the Java ecosystem in 2016, affecting 70 different Java libraries, even being used to breach PayPal servers. Organizations like Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds also released security patches to address vulnerabilities in their products.
Deserialization vulnerabilities in Java are particularly dangerous. Google engineers have also worked to fix open-source Java libraries and limit the scope of the vulnerability, with over 2,600 projects patched. Google referred to this vulnerability as Mad Gadget, although it is also known as Java Apocalypse.
While security issues related to serialization/deserialization in Java have been known for a long time, the Java Apocalypse vulnerability warns companies and the Java community to pay attention to how they serialize and deserialize their data.
Serialization vulnerability is a major issue in Java
In response to InfoWorld, Reinhold emphasized that serialization issues account for 1/3 or even 1/2 of all known Java vulnerabilities.
Reinhold's assertion is entirely correct. For example, in the January 2018 security update, Oracle fixed 237 security vulnerabilities, with 28.5% addressing unsafe deserialization activities.
This issue is also quite common among companies. According to the ShiftLeft report, a significant number of serialization/deserialization vulnerabilities have been discovered in a large number of SaaS provider SDKs.
Just one Apache Struts (Java) deserialization flaw last year affected 65% of all companies on the Fortune 100 list, demonstrating how prevalent serialized data execution is and how a vulnerability can compromise the security of the world's leading companies.
While Oracle is addressing the issue in Java, serialization also affects other programming environments such as .NET, Ruby, and some others.
PUBG is one of the most popular battle royale games today, however, you may encounter performance issues that disrupt your PUBG experience. Determined not to be consistently overtaken by Fortnite, PUBG promises to release significant performance updates in the near future. You can find more information in the article 'PUBG promises to release significant performance updates' shared on Mytour.
