Newly discovered Java serialization flaw threatens apps

Relying on Java applications can put organizations at risk, as research from FoxGlove Security recently showed. That firm has gained attention for discovering a series of vulnerabilities that affect many different Java-based applications and has been relatively underreported by the media. Because of the way Java processes objects through "deserialization," hackers could exploit the vulnerabilities and pass through malicious content undetected.

While this issue was discovered earlier this year, a new blog post seems to have garnered more attention, as FoxGlove's Steve Breen looks closely at what he calls an "unserialize vulnerability." He also describes the several different types of ways Java traffics in serialized objects, including HTTP requests and custom protocols.

In many cases, Java uses deserialization to translate information out of binary after it has been transmitted: executable code can be included to affect the server specifically, and the Apache Commons Collections was noted as being especially at risk. Both official services like Oracle WebLogic and custom applications could be subject to this issue.

In a security update about this concern, Oracle labeled the flaw as "security issue CVE-2015-4852.

"The Oracle security and development teams are investigating this issue and are developing fixes for the affected products and services," this same statement reads. "The Oracle Cloud teams are evaluating these fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes." 

Even though the company has offered security fixes, the pervasiveness of this vulnerability shows the hidden ways that Java can leave companies exposed. To move away from this risk, organizations can instead look for legacy system modernization tactics that use alternatives like Javascript.