If the vendors cannot provide patches and the customers cannot make any source code changes, then
how can such production systems be protected? The following are the currently available options.
Web Application Firewalls – WAFs are not helpful here because they have no application context
since they can only examine the input and the output of the application. Applying heuristics on
the incoming requests is guaranteed to produce false positives and false negatives. Any security
solution that has no application context and operates outside of the application cannot adequately
mitigate deserialization attacks
RASP vendors and Java agents that either disable deserialization completely or apply blacklisting
/ whitelisting on the classes that are getting deserialized.
It’s unlikely that we’ve seen the last of hackers using insecure deserialization to target enterprise systems.
With the ubiquity of Java and other languages that rely on serialization for communication, it’s a good
time to put safeguards in place to protect critical applications.
About the Author
Apostolos Giannakidis, Security Architect, Waratek Apostolos
drives the research and the design of the security features of
Waratek’s RASP container. Before starting his journey in
Waratek in 2014, he worked in Oracle for 2 years focusing on
Destructive Testing on the whole technology stack of Oracle
and on Security Testing of the Solaris operating system.
Apostolos is acknowledged by Oracle for submitting two Java
Deserialization vulnerabilities that were fixed in the Oracle
January 2019 CPU Apostolos can be reached at Twitter
@cyberApostle and at our company website
http://www.waratek.com