In my view the issue is not located in Java serialization, but insecure programming in some common open source libraries.
Attributing this exploit to Java Serialization is wrong, the exploit requires door opening non-jdk code to be present on the server.
Unfortunately some libraries accidentally do this, however its very unlikely this is a wide spread (mis-) programming pattern.
How can a class at server side open the door ?
- the class has to define readObject()
- the readObject() method has to be implemented in a way that allows to execute code sent from remote
I struggle to imagine a sane use case on why one would do something along the line of
"readObject(ObjectInputStream in) { Runtime.exec(in.readString()); }"
or
"readObject(ObjectInputStream in) { define_and_execute_class(in.readBytes()); }"
Anyway, it happened. Again: something like the code above must be present on the class path at server side, it cannot be injected from outside.
Fixing this for fast-serialization
- fast-serialization 2.43 introduces a delegate interface, which enables blacklisting/whitelisting of classes, packages or whole package trees. By narrowing down classes being allowed for serialization, one can assure only expected objects are deserialized.
- if you cannot upgrade to fst 2.43 for backward compatibility reasons, at least register a custom serializer for the problematic classes (see exploit details). As registered custom serializers are processed by fast-serialization before falling back to JDK serialization emulation, throwing an exception in the read or instantiate method of the custom serializer will effectively block the exploit.
- There is no significant performance impact as this is executed on initialization only
Hotfixing stock JDK Serialization implementation
(Verfied for JDK 1.8 only)
Use a subclass of ObjectInputStream instead of the original implementation and put in a blacklisting/whitelisting by overriding this method in ObjectInputStream:
(maybe also check resolveProxyClass, I'm not sure wether this also can get exploited [probably not]).
This will have a performance impact, so its crucial to have a efficient implementation of blacklisting/whitelisting here.
This will help close off some Java serialization attacks, but will not protect you from DoS attacks. See https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/ for details.
ReplyDeleteمحسن ابراهیم زاده
DeleteI disagree, code injection requires a door-opening class at server side. Proper whitelisting will shut down any attempt to make use of the exploit.
حمید هیراد
"Whitelisting does not help"
ReplyDeleteI disagree, code injection requires a door-opening class at server side. Proper whitelisting will shut down any attempt to make use of the exploit.
Regarding the DOS sample (from your site): it does not show a vulnerability of serialization but of the implementation of AbstractSet.hashCode(). This could be DOS-attacked in various ways even if half-automated encodings like json are used.
Ofc a 100% save use of serialization at protocol level would require a careful selection of what classes are allowed in the payload, however it is not inherently more insecure than other encodings, one just needs to be restrictive on the data being tranmitted.
In general there is no 100% save software, so its always a trade-off in between development cost/technical limitation vs probability of being sucessfully attacked.
Being save against a widely known, easy to perform exploit actually will reduce the probability of getting attacked by a factor of 10 or more.
Same argument holds true for "security by obscurity": It actually lowers probabilty of getting attacked by random server scraping tools. It increases the cost for the attacker as he's required to work out a dedicated attack for your "obscure" software, which means the probability of being a victim is lowered significantly.
> Being save against a widely known, easy to perform exploit actually will reduce the probability of getting attacked by a factor of 10 or more.
ReplyDeleteI didn't say whitelisting didn't help. I said it wasn't enough. I did say obscurity didn't help.
Whitelisting and encryption will reduce the probability of a successful attack by some unknown amount, and will cut down on automated attacks. But the problem is not automated attacks, it's attacks period. Once they have a compromised host and know that Java serialization is being used, then they are free to poke at it any way they feel like. Not only that, but they share information and keep up to date on flaws in Java. It doesn't matter if it's obscure to developers, only if it's obscure to the attackers.
Good points, tend to agree. Obscurity does not lower vulnerability if the same "obscurity" is present in many places :). TL;DR if you are obscure be obscure in a unique way and this won't help if your site is specifically attacked.
DeleteYes -- site specific obscurity will help if the attacker is coming in from the outside, but will not help if the attacker is coming in from a compromised host, as they will be able to use that host's already configured channel to provide you with the malware.
Deletehttps://mkniit.blogspot.in
ReplyDeleteIf you are stuck with your online management assignment then in this case you can opt for our Database Management Assignment help. we provide the best assignment assignment help online.
ReplyDeleteWe also provide Advanced Database Management System help. for students across the globe.
for more information contact us +16692714848
decorative pillows for sofa
ReplyDeletegeometric pillow target
great java tips At SynergisticIT we offer the best java bootcamp
ReplyDeleteI read that Post and got it fine and informative.
ReplyDeleteappvalley download
Dhar Mann
lola Iolani Momoa
rolling paper alternatives
Spy Dialer
free edu email
ReplyDeleteHey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI, please check these depression, stress and anxiety related articles:
Essay on discipline , The Alchemist book review
You might want to take supplemental care during cleaning a good porcelain powder room sink since the device scratches conveniently. Avoid implementing steel made of wool, and choose clean sponge when the removal of surface unattractive stains. Wipe any sink during circular motions utilizing the sponge but some dish a cleaning agent, then off sink with warm water. If you will want nice shine in your porcelain washing up bowl, you can implement baking soda in addition to a soft cloth to stop sticky frizzy hair and a cleaning agent scum. Don’t put aside to at the same time clean the underside of any drain flaps, any caulk seal off, and any faucet. part time maids in dubai Spring Cleaning Maid Services Dubai UAE, For Booking: +971 56 996 7411
ReplyDeleteHello, I read this nice article. I think You put a best effort to write this perfect article. I appreciate your work. thank you so much.
ReplyDeleteRocky 2 Tiger Jacket
I got such a useful stuff on your website that helps me a lot to gain information.
ReplyDeleteSummertime Saga Benzeri Oyunlar
ReplyDeleteAmong Us Benzeri Oyunlar
Valorant Benzeri Oyunlar
Rust Benzeri Oyunlar
Fortnite Benzeri Oyunlar
ZX0AL
yurtdışı kargo
ReplyDeleteresimli magnet
instagram takipçi satın al
yurtdışı kargo
sms onay
dijital kartvizit
dijital kartvizit
https://nobetci-eczane.org/
BODF
salt likit
ReplyDeletesalt likit
dr mood likit
big boss likit
dl likit
dark likit
S2T
Think you're fine by using accidental breakage within your household merchandise? It is actually a fact the fact that maids from a home office cleaning expert services are perfectly trained they usually work by using caution, nonetheless accidents CONDUCT happen. Hiring an authorized company will increase the prospects of the service personnel being extra educated plus careful around whatever people do. Some providers even give accidental breakage insurance policies. babysitting nanny services dubai
ReplyDeleteافران الغاز pwT6ZUHJPz
ReplyDeleteشركة مكافحة حشرات بخميس مشيط uGeStEshPT
ReplyDeleteشركة رش حشرات بالاحساء rsYRXUIZ2f
ReplyDelete