In my code, I call the getObject () method from the ObjectMessage object obtained from the JMS queue. A Fortify report complains about this getObject () method with an error name like this Dynamic Code Evaluation: Unsafe Deserialization. Basically, this suggests that I should not deserialize untrusted data without checking the contents of the object stream. Below is the code. How and what methods should I use to get rid of this Fortify report error.
if (message instanceof ObjectMessage) {
ObjectMessage objMessage = (ObjectMessage) message;
Object objReportMessage = objMessage.getObject();
....
Below is the problem with Fortify's recommendation message. He then points this error to the code above in the line objMessage.getObject ();
Dynamic Code Assessment: Unsafe Deserialization (1 release)
Abstract
Deserting threads of objects controlled by the user at runtime allows attackers to execute arbitrary code on the server, abuse the application logic or lead to a denial of service.
Explanation
Java serialization turns object graphs into byte streams containing the objects themselves and the necessary metadata to recover them from the byte stream. Developers can create custom code for in the process of deserializing Java objects, where they can even replace deserialized objects with different objects or proxies. An individual deserialization process occurs during objects before objects are returned to the application and transferred to the expected types. Meanwhile, developers are trying to enforce the expected type, perhaps the code has already been executed. Custom deserialization procedures are defined in serializable classes that must be present in the runtime classpath and cannot be entered by an attacker, so the operational effectiveness of these attacks depends on the classes available in the application environment. Unfortunately,regular third party classes or even JDK classes can be used to extract JVM resources, deploy malicious files, or run arbitrary code. Some protocols use Java serialization behind the scenes of the transport layer. RMI and JMX are examples of these protocols.
1. RMI, ,
.
, .
public interface MyService extends java.rmi.Remote {
public Object doSomething (Object arg0) throws RemoteException;
public Object doSomethingElse (Object arg0, Object arg1) throws
RemoteException;
...
}
2: JMX MBeans Java .
MyManagedBean .
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
ObjectName name = new ObjectName("com.example:type=MyManagedBean");
MyManagedBean mbean = new MyManagedBean();
mbs.registerMBean(mbean, name);
, .
, , .
,
. Java
.
subclass java.io.ObjectInputStream
resolveClass (ObjectStreamClass desc),
29 2016, 17:09
Copyright 2015 Hewlett Packard
LP 13
.
, , , Apache
Commons IO (org.apache.commons.io.serialization.ValidatingObjectInputStream).
.
, . ,
, ,
, . ,
, , .
" ", resolveObject (Object
obj), ,
.
(, JMX, RMI, JMS, HTTP Invokers)
, .
, :
- .
- .
- .
- .
, HPE Security Fortify Runtime , ,
ObjectInputStream, ,
.