Menu
Oracle plans to dump risky Java serialisation

Oracle plans to dump risky Java serialisation

A “horrible mistake” from 1997, the Java object serialisation capability for encoding objects has serious security issues

Oracle plans to drop from Java its serialisation feature that has been a thorn in the side when it comes to security.

Also known as Java object serialisation, the feature is used for encoding objects into streams of bytes. Used for lightweight persistence and communication via sockets or Java RMI, serialisation also supports the reconstruction of an object graph from a stream.

Removing serialisation is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialisation technology, a small serialisation framework would be placed in the platform once records, the Java version of data classes, are supported.

The framework could support a graph of records, and developers could plug in a serialisation engine of their choice, supporting formats such as JSON or XML, enabling serialisation of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability.

Serialisation was a “horrible mistake” made in 1997, Reinhold says. He estimates that at least a third—maybe even half—of Java vulnerabilities have involved serialization. Serialisation overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

Recently, a filtering capability was added to Java so if serialisation is being used on a network and untrusted serialisation data streams must be accepted, there is a way to filter which classes can be mentioned, to provide a defence mechanism against serialisation’s security weaknesses.

Reinhold says Oracle has received many reports are received about application servers running on the network with unprotected ports taking serialisation streams, which is why the filtering capability was developed.

(This article originally appeared on InfoWorld, by Paul Krill)


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Oracle

Featured

Slideshows

EDGE 2019: Thought leaders share how to build a channel of the future

EDGE 2019: Thought leaders share how to build a channel of the future

Day 2 of EDGE was opened by in-depth research from TRA's Tim Dillon, which outlined the partner view on the channel's future. The following day saw Forrester's Jay McBain and Odgers Berndtson's Tim Sleep conclude the keynote line-up, while HPE and Cisco rounded off the thought leadership.

EDGE 2019: Thought leaders share how to build a channel of the future
Tech credentials on show during Ingram Micro One APAC

Tech credentials on show during Ingram Micro One APAC

Ingram Micro outlined the key technologies for future channel growth on the second day of Ingram Micro One APAC in Singapore, in front of more than 1300 business leaders.

Tech credentials on show during Ingram Micro One APAC
Show Comments