Thanks for sharing! On Wed, 12 Jun 2019 at 17:47, Martin Grigorov <mgrigo...@apache.org> wrote: > > Current state: > http://cr.openjdk.java.net/~briangoetz/amber/serialization.html > > On Sat, May 26, 2018 at 1:39 PM Martijn Dashorst <martijn.dasho...@gmail.com> > wrote: > > > > > > > https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.amp.html?__twitter_impression=true > > > > Oracle plans to dump risky Java serialization > > A “horrible mistake” from 1997, the Java object serialization capability > > for encoding objects has serious security issues > > > > Paul Krill > > > > Getty Images > > Oracle plans to drop from Java its serialization feature that has been a > > thorn in the side when it comes to security. Also known as Java object > > serialization, the feature is used for encoding objects into streams of > > bytes. Used for lightweight persistence and communication via sockets or > > Java RMI, serialization also supports the reconstruction of an object graph > > from a stream. > > > > Removing serialization is a long-term goal and is part of Project Amber, > > which is focused on productivity-oriented Java language features, says Mark > > Reinhold, chief architect of the Java platform group at Oracle. > > > > To replace the current serialization technology, a small serialization > > framework would be placed in the platform once records, the Java version of > > data classes, are supported. The framework could support a graph of > > records, and developers could plug in a serialization engine of their > > choice, supporting formats such as JSON or XML, enabling serialization of > > records in a safe way. But Reinhold cannot yet say which release of Java > > will have the records capability. > > > > Serialization was a “horrible mistake” made in 1997, Reinhold says. He > > estimates that at least a third—maybe even half—of Java vulnerabilities > > have involved serialization. Serialization overall is brittle but holds the > > appeal of being easy to use in simple use cases, Reinhold says. > > > > Recently, a filtering capability was added to Java so if serialization is > > being used on a network and untrusted serialization data streams must be > > accepted, there is a way to filter which classes can be mentioned, to > > provide a defense mechanism against serialization’s security weaknesses. > > Reinhold says Oracle has received many reports are received about > > application servers running on the network with unprotected ports taking > > serialization streams, which is why the filtering capability was developed. > > > >
-- WBR Maxim aka solomax
