Details
-
Enhancement
-
Status: Resolved
-
P4
-
Resolution: Rejected
-
6u43
-
None
-
x86
-
linux
Description
A DESCRIPTION OF THE REQUEST :
Security sandbox protect ObjectInputStream is weakness, only control two parameters
1. enableSubclassImplementation 2. enableSubstitution
Actually ObjectInputStream should introduce the protection for class name while deserialize the object.
We can't depend on the checking the object to make the security for deseialize object.
test obj = (test) objectInputStream.readObject();
If deliver the viruses serialize object to ObjectInputStream, it had been executed.
EX.
Class viruses implements Serializable {
private void readObject(java.io.ObjectInputStream s) {
s.defaultReadObject();
System.out.println("Execute");
}
}
However the "execute" message will be printed although it isn't test object.
JUSTIFICATION :
CVE-2015-7501
Spring framework RCE leak
If use basic ObjectInputStream deserialize the object, can't make sure the process is safe.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Not test class will reject
ACTUAL -
viruses class execute the readObject method
CUSTOMER SUBMITTED WORKAROUND :
protected Class<?> resolveClass(ObjectStreamClass desc)
throws IOException, ClassNotFoundException{
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(
new SerializablePermission("accessClass."+desc.getName()));
}
return super.resolveClass(desc);
}
Add the class protection in the security manager.
Security sandbox protect ObjectInputStream is weakness, only control two parameters
1. enableSubclassImplementation 2. enableSubstitution
Actually ObjectInputStream should introduce the protection for class name while deserialize the object.
We can't depend on the checking the object to make the security for deseialize object.
test obj = (test) objectInputStream.readObject();
If deliver the viruses serialize object to ObjectInputStream, it had been executed.
EX.
Class viruses implements Serializable {
private void readObject(java.io.ObjectInputStream s) {
s.defaultReadObject();
System.out.println("Execute");
}
}
However the "execute" message will be printed although it isn't test object.
JUSTIFICATION :
CVE-2015-7501
Spring framework RCE leak
If use basic ObjectInputStream deserialize the object, can't make sure the process is safe.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Not test class will reject
ACTUAL -
viruses class execute the readObject method
CUSTOMER SUBMITTED WORKAROUND :
protected Class<?> resolveClass(ObjectStreamClass desc)
throws IOException, ClassNotFoundException{
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(
new SerializablePermission("accessClass."+desc.getName()));
}
return super.resolveClass(desc);
}
Add the class protection in the security manager.
Attachments
Issue Links
- is blocked by
-
JDK-8154961 JEP 290: Filter Incoming Serialization Data
-
- Closed
-