Java finally plans to remove serialization…eventually

At an "Ask the Architect" session during the recent Devoxx UK 2018 conference, Oracle's chief architect Mark Reinhold delivered a piece of news that fans and users have been waiting for for a long time. According to Application Development Trends Magazine, serialization, a procedure inherent to Java software performance, is being removed.

"[Serialization] was a horrible mistake in 1997," Reinhold stated, per ADT Magazine. "Some of us tried to fight it, but it went in, and there it is. …We like to call serialization 'the gift that keeps on giving,' and the type of gift it keeps on giving is security vulnerabilities…. Probably a third of all Java vulnerabilities have involved serialization; it could be over half. It is an astonishingly fecund source of vulnerabilities, not to mention instabilities."

But those preparing to jump for joy may not want to stretch just yet. While Oracle has finally made public its intentions to move past serialization, no time table was given during the event. Instead, Reinhold outlined the project as a goal for Project Amber, an OpenJDK project that will hopefully discover and foster productivity-oriented Java language features, ones that have been approved as candidate JEPs under the OpenJDK JEP process.

"Once we have records, the Java version of data classes, then it's part of the long term vision to have a new small clean serialization framework in the platform that can take a graph of records" Reinhold told the audience, according to ADT Magazine. "You'll then be able to plug in a serialization engine of your choice, whether you want JSON, XML or YAML, you can plug in the engine to get the format you want, and serialize records in a very safe way because the records wouldn't allow serialization invariance."

"Serialization converts data to an easily transmittable linear format."

What is serialization?
Serialization is a process commonly applied to computer data so that it may be transmitted across networks and hardware. To accomplish this task, structures such as arrays, classes, graphs and records are organized into a linear format that is designed for storage efficiency. For example, if the object was "The Lord of the Rings" titles, then it would be divvied out into "Fellowship of the Ring," "The Two Towers" and "Return of the Ring" and displayed like this, respectively:

<Lord of the Rings Titles><First book>Fellowship of the Ring</First book><Second book>The Two Towers</Second book><Third book>Return of the King</Third book>

This information would then be placed in a file format such as XML before transfer. Afterward, it would be reassembled in a process referred to as deserialization. Data serialization and deserialization are older computer functions, existing since the 1980s, according to The Center for Internet Security. Many platforms, including Java, ruby, python and Microsoft's .Net, support this platform.

How is it a cybersecurity risk?
Unfortunately, as with many of the older computer programs, hackers long ago discovered a way to utilize serialization in cyberattacks. Since 2003, malicious third parties have been injecting damaging data into the linear format. Once information like this:

<Lord of the Rings Titles><First book>Fellowship of the Ring</First book><Second book>The Two Towers</Second book><Third book>Return of the King</Third book><Cybercrime>Cyberattack</Cybercrime></Lord of the Rings Titles>

Is in a computer, the unauthorized user can remotely access the victim machine and remotely perform code execution. As the data continues to spread through the network, so too does the malicious code, allowing this form of cyberattack to rapidly grow in terms of effectiveness and potential damage.

While serialization, data can be influenced by outside sources.
With serialization, data can be influenced by outside sources.

When will Java remove serialization?
With such a potential for disaster, users may be surprised to discover that Java still has to remove serialization. The problem is that the function was envisioned back when Java was first deployed, making it a central operation to the software mainframe.

Oracle has prided Java as a flexible program that is usable across hardware and software differentiation. To replace serialization, the company has to develop and implement a new method that works with the same variety of software systems and provides the same transference benefits.

Because Oracle is scaling down its changes in Java patches, the company may wish to keep its system fairly static until the changes are ready, according to InfoWorld. However, with no clear time table, it is impossible to say when the exploits of serialization and deserialization will be removed.

What to do in the meantime?
Until Oracle patches out serialization, organizations are advised to protect themselves from its vulnerabilities. Keeping software up to date is always helpful, as are employing the principle of least privilege and adhering to a secure development lifecycle.


Our innovative Flynet Viewer simplifies screen integration, easing the modernization process while meeting employer and staff expectations in a way that feels both familiar and simple. Review our product page to learn more about the Inventu Flynet Viewer and the other solutions in our extensive portfolio.