Java deserialisation bug affects several software libraries
According to research by Foxglove Security, a java deserialisation vulnerability has affected more than 40 software libraries. Though initially it was thought that the deserialisation bug in Apache Commons Collections affected only the popular softwares like that of JBoss and WebSphere; new research shows that at least 40 more libraries may be affected by the same bug.
Due to this vulnerability, a major risk comes from apps that accept serialised Java objects. Several popular open source libraries like JMS Transport, Apache Directory API, hadoop-mapreduce-client-core, versions of Webx All-in-one Bundle are at risk due to this bug.This vulnerability can exploited by hackers to take control of app servers running the affected libraries.
Developers who are using the above mentioned libraries in their applications need to be aware of the risk and should therefore check carefully if they're deserializing any kind of untrusted data. They need of the hour is that, developers review their libraries and get a clear picture on whether or not their technology is vulnerable to the deserialisation vulnerability.
Though it has been a while since this problem had been detected, it was not until last month, when a credible attack scenario was outlined, that much attention was paid on it. The main problem lies with apps which do not check untrusted input before deserialisation. And even though many software packages have been updated till date due to this bug, the major challenge is to address the problems in the custom softwares procured from third parties.
Regarded as the “most underrated, underhyped vulnerability of 2015”; one major issue with this development is that several well established and effectively maintained applications are still deserializing the user-supplied data.
For more information on Java software and Java programs visit www.skilladda.com.