Oracle plans to dump risky Java serialization
A “horrible mistake” from 1997, the Java object serialization capability for encoding objects has serious security issues
Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes. Used for lightweight persistence and communication via sockets or Java RMI, serialization also supports the reconstruction of an object graph from a stream.
Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.
To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability.
Serialization was a “horrible mistake” made in 1997, Reinhold says. He estimates that at least a third—maybe even half—of Java vulnerabilitieshave involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.
Recently, a filtering capability was added to Java so if serialization is being used on a network and untrusted serialization data streams must be accepted, there is a way to filter which classes can be mentioned, to provide a defense mechanism against serialization’s security weaknesses. Reinhold says Oracle has received many reports are received about application servers running on the network with unprotected ports taking serialization streams, which is why the filtering capability was developed.