Serious Java Deserialization Vulnerability Uncovered in 70 Libraries - How to, Technology and PC Security Forum |

Serious Java Deserialization Vulnerability Uncovered in 70 Libraries

In the beginning of 2015, the security researchers Gabriel Lawrence and Chris Frohoff revealed a Remote Code Execution vulnerability that could be exploited via the Apache Commons Collections. The latter is just one of the most well-known and widely used Java libraries.


Later in 2015, experts reported an issue that made Java apps vulnerable to security holes. The reason was the way developers handled user-supplied deserialized data via the Apache library.

What Is Serialization in Java?

Serialization is the process of turning an object into a sequence of bytes which can be persisted to a disk or database, or can be sent through streams. The reverse process of creating an object from a sequence of bytes is dubbed deserialization.

The tentatively called vulnerability has raised some awareness (but far from enough) in the Java community. However, since the issue was not exactly a bug in the library, nothing could be done except warning other developers.

70 Libraries Include the Apache Common Collections

The issue is now even bigger in scope since 70 other libraries have the same problem when working with user-supplied deserialized data. Some of the most popular libraries include Apache Hadoop, Apache HBase, OpenJPA, JasperReports, Spring XD, etc.

The problem is that all these libraries include the Apache Common Collections in their code, thus applying functions handling user-supplier deserialized data. It’s important to note that this doesn’t make the libraries vulnerable. Issues appear when such applications don’t sanitize user-supplied data before deserializing it with one of the 70 libraries.

Researchers also note that detecting Java deserialization vulnerabilities is a tricky job. The problem is more of a blind spot that leaves researchers in a bad position since attackers are now beginning to focus on developers and the open source code they like to use.

Here is the list of all affected libraries:
Click on the accordion to view it




Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.