Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8164309

ObjectInputStream should have class name verify in security manager

    XMLWordPrintable

    Details

      Description

      A DESCRIPTION OF THE REQUEST :
      Security sandbox protect ObjectInputStream is weakness, only control two parameters
      1. enableSubclassImplementation 2. enableSubstitution
      Actually ObjectInputStream should introduce the protection for class name while deserialize the object.
      We can't depend on the checking the object to make the security for deseialize object.
      test obj = (test) objectInputStream.readObject();

      If deliver the viruses serialize object to ObjectInputStream, it had been executed.
      EX.
      Class viruses implements Serializable {
      private void readObject(java.io.ObjectInputStream s) {
      s.defaultReadObject();
      System.out.println("Execute");
      }
      }
      However the "execute" message will be printed although it isn't test object.





      JUSTIFICATION :
      CVE-2015-7501
      Spring framework RCE leak
      If use basic ObjectInputStream deserialize the object, can't make sure the process is safe.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Not test class will reject
      ACTUAL -
      viruses class execute the readObject method

      CUSTOMER SUBMITTED WORKAROUND :
      protected Class<?> resolveClass(ObjectStreamClass desc)
      throws IOException, ClassNotFoundException{
      SecurityManager sm = System.getSecurityManager();
              if (sm != null) {
                  sm.checkPermission(
                          new SerializablePermission("accessClass."+desc.getName()));
              }
              return super.resolveClass(desc);
      }
      Add the class protection in the security manager.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rriggs Roger Riggs
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: