I read that a Java serialization vulnerability that had been disclosed more than a year ago was discovered in PayPal's...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
servers by a security researcher. What is this vulnerability, and why wasn't it patched? How can attackers take advantage of it?
The Java serialization vulnerability occurs when an input is converted from a format that had been submitted over the internet to another format, which is then saved to a database. The data processed during this transition, where the vulnerability exists, can be exploited for remote code execution in some vulnerable software. The vulnerability was thought to be theoretical because of its difficulty to exploit, until FoxGlove Security published a blog with an exploit code for widely used software. With this the exploit code, the Java serialization vulnerability went from theoretical to something enterprises needed to address.
This specific Java serialization vulnerability was examined by PayPal Engineering with input from security researcher Mark Litchfield, and it explained how it fixed the vulnerability in its systems. Fellow security researcher Michael Stepankin also wrote a detailed explanation on how he could remotely execute code on PayPal servers via this vulnerability.
Reading the efforts PayPal Engineering went through to find vulnerable code in its products helps to paint a picture of why enterprises, including PayPal, hadn't addressed the vulnerability prior to the exploit code being published. If an enterprise didn't have a central software development repository, it would be even more difficult to find vulnerable code and would have required scanning all web applications to look for vulnerable systems.
Enterprises can protect against these types of Java serialization attacks by having security integrated into their software development lifecycle. Something PayPal didn't mention in its post was that running the web server as a nonprivileged user without broad access to execute code on the system could have reduced the impact of the vulnerability being exploited for remote code execution.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read what a Java vulnerability report says about responsible disclosure
Learn how to adapt your infosec program to new risks
Find out if Java patching remains important or has become a pointless exercise
Dig Deeper on Microsoft Patch Tuesday and patch management
Related Q&A from Nick Lewis
The CIA Vault 7 cache exposed the Brutal Kangaroo USB malware, which can be spread to computers without an internet connection. Learn how this is ...continue reading
Kaspersky Lab recently accused Windows 10 of acting as an antivirus block to third-party antimalware software. Discover how your software is being ...continue reading
QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.