Pakhnyushchyy - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why wasn't the Java serialization vulnerability patched?

An old Java serialization vulnerability has popped up again in PayPal's servers. Expert Nick Lewis explains how this vulnerability works and why it had not been patched.

I read that a Java serialization vulnerability that had been disclosed more than a year ago was discovered in PayPal's servers by a security researcher. What is this vulnerability, and why wasn't it patched? How can attackers take advantage of it?

The Java serialization vulnerability occurs when an input is converted from a format that had been submitted over the internet to another format, which is then saved to a database. The data processed during this transition, where the vulnerability exists, can be exploited for remote code execution in some vulnerable software. The vulnerability was thought to be theoretical because of its difficulty to exploit, until FoxGlove Security published a blog with an exploit code for widely used software. With this the exploit code, the Java serialization vulnerability went from theoretical to something enterprises needed to address.

This specific Java serialization vulnerability was examined by PayPal Engineering with input from security researcher Mark Litchfield, and it explained how it fixed the vulnerability in its systems. Fellow security researcher Michael Stepankin also wrote a detailed explanation on how he could remotely execute code on PayPal servers via this vulnerability.

Reading the efforts PayPal Engineering went through to find vulnerable code in its products helps to paint a picture of why enterprises, including PayPal, hadn't addressed the vulnerability prior to the exploit code being published. If an enterprise didn't have a central software development repository, it would be even more difficult to find vulnerable code and would have required scanning all web applications to look for vulnerable systems.

Enterprises can protect against these types of Java serialization attacks by having security integrated into their software development lifecycle. Something PayPal didn't mention in its post was that running the web server as a nonprivileged user without broad access to execute code on the system could have reduced the impact of the vulnerability being exploited for remote code execution.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Read what a Java vulnerability report says about responsible disclosure

Learn how to adapt your infosec program to new risks

Find out if Java patching remains important or has become a pointless exercise

This was last published in June 2016

Dig Deeper on Microsoft Patch Tuesday and patch management