This according to Mark Reinhold himself. Mark Reinhold is the chief architect of the Java platform at Oracle. He spoke to InfoWorld about this topic a few days ago.
Mark Reinhold indicates that the Java team is currently working on removing the serialization support in the JDK. For those who absolutely need it, a plug-in system to support serialization operations via a new framework will be proposed. Mark Reinhold did not specify any date
For him, the addition of serialization support to Java that was made in 1997 was ‘a horrible mistake’, a horrible mistake.
Serialization makes it possible to transform an object into a stream of bytes, which makes it possible to make it persistent, or to reconstitute it by deserialization via RMI, a connection by socket, etc.
The problem of Java serialization is at the security level. According to Mark Reinhold, at least a third, and perhaps even half of the vulnerabilities in Java, involve serialization. In January 2018, Oracle fixed 237 vulnerabilities in Java. More than 28% of these involved unsecured deserialization operations.
This major problem appeared in early 2015 when two researchers – Chris Frohoff and Gabriel Lawrence – discovered a deserialization flaw in the Apache Commons Collection.
In late 2015, Foxglove Security researchers went a step further by showing how an attacker could use a deserialization flaw in Java applications where developers do not use the Apache Commons Collection library correctly to handle deserialization operations.
They showed that an attacker could inject malicious data into popular Java applications such as WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. This data is serialized and stored in a database or in memory, and when the application deserializes it, it executes the injected malicious code.
The flaw rocked the entire Java ecosystem in 2016, when it was discovered that it affected 70 other Java libraries, and was even used to compromise PayPal’s servers. Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP and SolarWinds, all had to release security patches to patch their products.
This Java flaw was considered so dangerous that Google engineers gathered in their free time to fix the open-source Java libraries of more than 2,600 projects. Internally, at Google, the flaw was referenced as Mad Gadget, but everyone called it Java Apocalypse.
Last year, a single deserialization flaw in Apache Struts (Java) affected 65% of Fortune 100 companies,
For the record, until Oracle makes the changes announced by Mark Reinhold, remember that companies and project managers who do not want a developer or module to call serialization / deserialization functions can prevent this via the “filter”. Serialization “that was added to Java in 2016.