I work in a small softwarecompany , we use an agent installed locally which runs on OSGI env to collect data about servers and send them to the main server using ws hhtp request. Usually we use sbe protocol to encode/decode messages , but it does not work for messages > 50M (main server get stuck on sbe decoding), so for this particular case I send the Java serialized object athat will be deserialized server-side. A big customer before installing tested massively our app and it detected the following:
The /resource/save-data-upload-big-file is vulnerable to an unsecure java deserialization.
We succeed to exploit this vulnerability to get an execution on the server.
It's not clear to me how they managed to do that (Remot Code execution) but they proposed to use another method to transmit data collected to server.
I was thinking about SealedObject... Will be it safe regarding RCE? Thanks in advance
They are right - (java) deserialization issues are a big pain for the industry right now. It even made to be mentioned on OWASP Top 10. It is not only Java related. Programming languages tend to have some kind of hook mechanism (
readObject
,writeObject
in Java) that can be misused into calling some internal functions over gadgets and libraries present in the application.The mitigation is rather tricky and may force you to go in directions you would rather not want to. The easiest solution may be to drop the vulnerable endpoint and replace it with something that does not require deserialization of java classes.