Menu
Oracle plans to dump risky Java serialisation

Oracle plans to dump risky Java serialisation

A “horrible mistake” from 1997, the Java object serialisation capability for encoding objects has serious security issues

Oracle plans to drop from Java its serialisation feature that has been a thorn in the side when it comes to security.

Also known as Java object serialisation, the feature is used for encoding objects into streams of bytes. Used for lightweight persistence and communication via sockets or Java RMI, serialisation also supports the reconstruction of an object graph from a stream.

Removing serialisation is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialisation technology, a small serialisation framework would be placed in the platform once records, the Java version of data classes, are supported.

The framework could support a graph of records, and developers could plug in a serialisation engine of their choice, supporting formats such as JSON or XML, enabling serialisation of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability.

Serialisation was a “horrible mistake” made in 1997, Reinhold says. He estimates that at least a third—maybe even half—of Java vulnerabilities have involved serialization. Serialisation overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

Recently, a filtering capability was added to Java so if serialisation is being used on a network and untrusted serialisation data streams must be accepted, there is a way to filter which classes can be mentioned, to provide a defence mechanism against serialisation’s security weaknesses.

Reinhold says Oracle has received many reports are received about application servers running on the network with unprotected ports taking serialisation streams, which is why the filtering capability was developed.

(This article originally appeared on InfoWorld, by Paul Krill)


Tags Oracle

Show Comments