26 Oct Programming Languages Impacted by Deserialization Issues
Anyone who is involved with the programming world knows that deserialization issues have become an increasing problem in the past few years. The first few languages that were impacted included the likes of Java and PHP, but it appears that Ruby and .NET are also in the crosshairs.
Serialization and Deserialization
The issue of deserialization first started with the Java programming language in 2016, causing damage to many of the applications that ran on this language. And it is proving a problem for .NET and Ruby applications in 2018.
But what is the issue? It involves serialization, which is the process of converting data objects into binary formats. This conversion is necessary, as it allows for the information to be sent over the network, stored on databases or sent to disks.
And deserialization is the opposite process, where you are taking the binary format and you are converting it back into the data object structure that it was originally created as. Such a process is vital for the use of applications based on programming languages.
Serious Deserialization Problems
Many security researchers discovered that because of issues within the serializing and deserializing processes, it was possible for applications to be tricked into running malicious commands and codes. And this could cause havoc in many automated operations and application processes.
The issue first became noticed by two researchers in 2015, who were able to discover a serious flaw in Apache Commons Collection. That is a very famous library based on Java, which was the target of the exploit. The researchers found that it was possible for them to take over many Java servers using the exploit, such as JBoss, OpenNMS and WebSphere.
Not Just a Java Problem
There was a time when experts had believed the issue may only impact Java. But that was soon proven as false, with .NET and PHP also impacted. The vulnerability in these two languages was discovered in 2017.
Ruby Falls Too
One of the final programming languages to fall to this issue is Ruby. An Australian IT firm elttam discovered that it is possible to commit serialization and deserialization attacks on Ruby-based applications.
Not only do these researchers show the results of what they did, but they publish the code that shows how it is done. This is done not to harm applications, but to indicate the problem so that it can be solved.
The versions of Ruby that are impacted include 2.0 to 2.5.