If the vendors cannot provide patches and the customers cannot make any source code changes, then
how can such production systems be protected? The following are the currently available options.
- Web Application Firewalls – WAFs are not helpful here because they have no application context
since they can only examine the input and the output of the application. Applying heuristics on
the incoming requests is guaranteed to produce false positives and false negatives. Any security
solution that has no application context and operates outside of the application cannot adequately
mitigate deserialization attacks - RASP vendors and Java agents that either disable deserialization completely or apply blacklisting
/ whitelisting on the classes that are getting deserialized.
It’s unlikely that we’ve seen the last of hackers using insecure deserialization to target enterprise systems.
With the ubiquity of Java and other languages that rely on serialization for communication, it’s a good
time to put safeguards in place to protect critical applications.
About the Author
Apostolos Giannakidis, Security Architect, Waratek Apostolos
drives the research and the design of the security features of
Waratek’s RASP container. Before starting his journey in Waratek
in 2014, he worked in Oracle for 2 years focusing on Destructive
Testing on the whole technology stack of Oracle and on Security
Testing of the Solaris operating system. Apostolos is
acknowledged by Oracle for submitting two Java Deserialization
vulnerabilities that were fixed in the Oracle January 2019 CPU
Apostolos can be reached at Twitter @cyberApostle and at our
company website http://www.waratek.com