Researchers from Foxglove Security have confirmed deserialization vulnerabilities in third-party Java libraries that could be used to remotely exploit JBoss, WebSphere, Jenkins, WebLogic, and OpenNMS installations, among others. While the issue could potentially exist in many applications, the vulnerability is in how developers deal with user-supplied serialized data and not the libraries themselves.
The issue exists in cases where the application accepts serialized Java objects as input. Unserialize vulnerabilities arise when developers accept serialized data — application data that’s been converted to another format — as user input, then attempt to read back data.
To read this article in full or to leave a comment, please click here