Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8164309

ObjectInputStream should have class name verify in security manager

    XMLWordPrintable

Details

    Description

      A DESCRIPTION OF THE REQUEST :
      Security sandbox protect ObjectInputStream is weakness, only control two parameters
      1. enableSubclassImplementation 2. enableSubstitution
      Actually ObjectInputStream should introduce the protection for class name while deserialize the object.
      We can't depend on the checking the object to make the security for deseialize object.
      test obj = (test) objectInputStream.readObject();

      If deliver the viruses serialize object to ObjectInputStream, it had been executed.
      EX.
      Class viruses implements Serializable {
      private void readObject(java.io.ObjectInputStream s) {
      s.defaultReadObject();
      System.out.println("Execute");
      }
      }
      However the "execute" message will be printed although it isn't test object.





      JUSTIFICATION :
      CVE-2015-7501
      Spring framework RCE leak
      If use basic ObjectInputStream deserialize the object, can't make sure the process is safe.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Not test class will reject
      ACTUAL -
      viruses class execute the readObject method

      CUSTOMER SUBMITTED WORKAROUND :
      protected Class<?> resolveClass(ObjectStreamClass desc)
      throws IOException, ClassNotFoundException{
      SecurityManager sm = System.getSecurityManager();
              if (sm != null) {
                  sm.checkPermission(
                          new SerializablePermission("accessClass."+desc.getName()));
              }
              return super.resolveClass(desc);
      }
      Add the class protection in the security manager.

      Attachments

        Issue Links

          Activity

            People

              rriggs Roger Riggs
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: