Skip to content

[Java]: Delayed unsafe deserialization #556

Closed
@artem-smotrakov

Description

@artem-smotrakov

Query PR

github/codeql#8501

Language

Java

CVE(s) ID list

CVE-2016-6194

CWE

CWE-502

Report

Deserialization can sometimes be implemented in two steps. An untrusted serialized object can be stored in a field but actual deserialization happens only when the object is necessary. CVE-2016-6194 in RabbitMQ is an example of such scenario (GitHub issue). Untrusted data that comes from a response is stored in RMQObjectMessage.buf field. Then, deserialization happens when getObject() method is called. Currently, java/unsafe-deserialization query doesn't catch this. I've suggested several updates to the query that allows detecting it.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

  • Yes
  • No

Blog post link

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    All For OneSubmissions to the All for One, One for All bounty

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions