This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. In the first part of this two-part series, we looked at some of the unexpected security consequences which can arise from usage of binary deserialization in Java applications. This second part of the series will focus on security issues related to XML deserialization.
XML Deserialization
An alternative approach to Java's native binary serialization is XML serialization, where the state of in-memory objects is represented as an XML document. XML serialization capabilities are provided by a number of commonly-used libraries. The Java Architecture for XML Binding (JAXB) is the standard implementation, which is available as part of the Java runtime environment, and as a standard API in J2EE environments. Several other XML serialization libraries exist - this article will focus on just two: XMLDecoder and XStream, both of which have exposed serious security issues in recent releases.
XMLDecoder
XMLEncoder/XMLDecoder are components in the Java Development Kit (JDK) that provide long term persistence for Java beans, using an XML serialization format to achieve this. This functionality is very powerful, as the XML format can represent a series of methods that will be called to reconstruct an instance of the object. If an application uses XMLDecoder to deserialize content provided by a user, then the user could inject arbitrary code into the specification of methods to call when reconstructing the object. In other words, any application that allows a user to pass content that will be deserialized by XMLDecoder is exposing a remote code execution flaw.
Dinis Cruz et. al. reported that the Restlet REST framework did just this, using XMLDecoder to deserialize the content of XML REST API requests. This flaw was assigned CVE-2013-4221, and was patched by disabling the vulnerable functionality. While researching this issue, it was also found that Restlet provided similar functionality using binary serialization. This would not expose remote code execution by default, but could expose various security issues, as described in the first article of this series. The binary deserialization flaw in Restlet was assigned CVE-2013-4721, and was also patched by disabling the vulnerable functionality.
XStream
XStream is an open source library, external to the JDK, which aims to simplify XML serialization and deserialization. It is popular due to its ease of use. XStream does not allow the specification of deserialization logic as XMLDecoder does. However, Dinis Cruz et. al. also reported that XStream's reflection-based approach to deserialization can be used to achieve arbitrary code execution when deserializing user-supplied XML. XStream will deserialize classes of any type. It has a special handler for dynamic proxy instances, which will resolve the implemented interfaces and handler. This allows an attacker to provide XML representing a dynamic proxy class, which implements the interface of a class the application might expect, then also implements a handler that calls arbitrary code when any of the members of the deserialized class are called.
There has been debate within the community as to how this should be resolved. Any application that is deserializing arbitrary user-supplied input is potentially vulnerable to a variety of security issues, as discussed in this series of articles. Should it then be considered a concern for applications using XStream to resolve? Some applications have already done so.
It was found that Spring OXM provided an XStreamMarshaller class, which would by default expose the remote code execution issue. Spring addressed this in documentation, warning users to apply a class type whitelist using a configuration property. It was also found that Sonatype Nexus was using XStream in a fashion that exposed an unauthenticated remote code execution flaw. This was addressed by forking the XStream library, and adding a patch that introduces support for class type whitelisting. Concurrently, the XStream project itself is now working on a patch that introduces support for class type whitelisting. The whitelisting will be disabled by default in the next minor release to maintain backwards compatibility, but will be enabled by default in the next major release. The flaw as it pertains to XStream itself has been assigned CVE-2013-7285.
Conclusion
XML serialization is potentially very dangerous when used to transport untrusted, user-supplied data. In addition to the problem of vulnerable serializable classes that is exposed by binary serialization, XML serialization also introduces several other possibilities for exposing remote code execution flaws. As an application developer, the take-home message is simple: never deserialize untrusted content using any Java serialization format. Content should always be checked to ensure that it is of an acceptable type prior to deserialization.
À propos de l'auteur
Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.
Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.
Parcourir par canal
Automatisation
Les dernières actualités en matière de plateforme d'automatisation qui couvre la technologie, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Services cloud
En savoir plus sur notre gamme de services cloud gérés
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Ressources développeurs
- Assistance client
- Calculateur de valeur Red Hat
- Red Hat Ecosystem Catalog
- Rechercher un partenaire
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit