Analysis
Deserialization vulnerabilities: root cause and importance
Every journey starts at the very beginning and, as it’s mildly highlighted by a very well-known movie soundtrack, the very beginning is a “very good place to start”.
This first article will focus on the topic of deserialization vulnerabilities and will offer answers to the following questions:
- What are deserialization vulnerabilities and what is their root cause?
- How to quickly identify them?
- Why is important to be aware if you have such a vulnerability?
- Giving back to the community: proof of concept to understand how the basics work in action.
Using the methodology outlined below, multiple deserialization vulnerabilities were found during the security assessments performed by our team, which resulted in the discovering previously undiscovered vulnerabilities, known as zero days or 0-days, to which were attributed the following Common Vulnerabilities and Exposures Identifiers (CVEs or CVE IDs):
- CVE-2022-29063 – Ofbiz Local Listener RMI Local Privilege Escalation
- CVE-2022-24818 – Deserialization via Remote Malicious RMI Server in Geoserver
- CVE-2021-46364 – SnakeYaml Deserialization in Magnolia v6.2.3
- CVE-2019-19810 – Zoom Call Recording 6.3.1 RMI Deserialization
- CVE-2019-1422 – Deserialization via Remote Malicious RMI Server in Alfresco Community Edition 5.2
- Private Deserialization Vulnerabilities in Apache James, Atlassian Confluence and Jfrog Artifactory
Additionally, further research on the vulnerability “CVE-2022-41853 – HyperSQL Call Any Java Static Method” determined that it can be leveraged, in certain scenarios/setups, to obtain direct deserialization of untrusted data.