Current state: http://cr.openjdk.java.net/~briangoetz/amber/serialization.html
On Sat, May 26, 2018 at 1:39 PM Martijn Dashorst <martijn.dasho...@gmail.com> wrote: > > > https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.amp.html?__twitter_impression=true > > Oracle plans to dump risky Java serialization > A “horrible mistake” from 1997, the Java object serialization capability > for encoding objects has serious security issues > > Paul Krill > > Getty Images > Oracle plans to drop from Java its serialization feature that has been a > thorn in the side when it comes to security. Also known as Java object > serialization, the feature is used for encoding objects into streams of > bytes. Used for lightweight persistence and communication via sockets or > Java RMI, serialization also supports the reconstruction of an object graph > from a stream. > > Removing serialization is a long-term goal and is part of Project Amber, > which is focused on productivity-oriented Java language features, says Mark > Reinhold, chief architect of the Java platform group at Oracle. > > To replace the current serialization technology, a small serialization > framework would be placed in the platform once records, the Java version of > data classes, are supported. The framework could support a graph of > records, and developers could plug in a serialization engine of their > choice, supporting formats such as JSON or XML, enabling serialization of > records in a safe way. But Reinhold cannot yet say which release of Java > will have the records capability. > > Serialization was a “horrible mistake” made in 1997, Reinhold says. He > estimates that at least a third—maybe even half—of Java vulnerabilities > have involved serialization. Serialization overall is brittle but holds the > appeal of being easy to use in simple use cases, Reinhold says. > > Recently, a filtering capability was added to Java so if serialization is > being used on a network and untrusted serialization data streams must be > accepted, there is a way to filter which classes can be mentioned, to > provide a defense mechanism against serialization’s security weaknesses. > Reinhold says Oracle has received many reports are received about > application servers running on the network with unprotected ports taking > serialization streams, which is why the filtering capability was developed. > >
