I read that a Java serialization vulnerability that had been disclosed more than a year ago was discovered in PayPal's...
servers by a security researcher. What is this vulnerability, and why wasn't it patched? How can attackers take advantage of it?
The Java serialization vulnerability occurs when an input is converted from a format that had been submitted over the internet to another format, which is then saved to a database. The data processed during this transition, where the vulnerability exists, can be exploited for remote code execution in some vulnerable software. The vulnerability was thought to be theoretical because of its difficulty to exploit, until FoxGlove Security published a blog with an exploit code for widely used software. With this the exploit code, the Java serialization vulnerability went from theoretical to something enterprises needed to address.
This specific Java serialization vulnerability was examined by PayPal Engineering with input from security researcher Mark Litchfield, and it explained how it fixed the vulnerability in its systems. Fellow security researcher Michael Stepankin also wrote a detailed explanation on how he could remotely execute code on PayPal servers via this vulnerability.
Reading the efforts PayPal Engineering went through to find vulnerable code in its products helps to paint a picture of why enterprises, including PayPal, hadn't addressed the vulnerability prior to the exploit code being published. If an enterprise didn't have a central software development repository, it would be even more difficult to find vulnerable code and would have required scanning all web applications to look for vulnerable systems.
Enterprises can protect against these types of Java serialization attacks by having security integrated into their software development lifecycle. Something PayPal didn't mention in its post was that running the web server as a nonprivileged user without broad access to execute code on the system could have reduced the impact of the vulnerability being exploited for remote code execution.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read what a Java vulnerability report says about responsible disclosure
Learn how to adapt your infosec program to new risks
Find out if Java patching remains important or has become a pointless exercise
Dig Deeper on Microsoft Patch Tuesday and patch management
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ...continue reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common...continue reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.