Pakhnyushchyy - Fotolia
I read that a Java serialization vulnerability that had been disclosed more than a year ago was discovered in PayPal's servers by a security researcher. What is this vulnerability, and why wasn't it patched? How can attackers take advantage of it?
The Java serialization vulnerability occurs when an input is converted from a format that had been submitted over the internet to another format, which is then saved to a database. The data processed during this transition, where the vulnerability exists, can be exploited for remote code execution in some vulnerable software. The vulnerability was thought to be theoretical because of its difficulty to exploit, until FoxGlove Security published a blog with an exploit code for widely used software. With this the exploit code, the Java serialization vulnerability went from theoretical to something enterprises needed to address.
This specific Java serialization vulnerability was examined by PayPal Engineering with input from security researcher Mark Litchfield, and it explained how it fixed the vulnerability in its systems. Fellow security researcher Michael Stepankin also wrote a detailed explanation on how he could remotely execute code on PayPal servers via this vulnerability.
Reading the efforts PayPal Engineering went through to find vulnerable code in its products helps to paint a picture of why enterprises, including PayPal, hadn't addressed the vulnerability prior to the exploit code being published. If an enterprise didn't have a central software development repository, it would be even more difficult to find vulnerable code and would have required scanning all web applications to look for vulnerable systems.
Enterprises can protect against these types of Java serialization attacks by having security integrated into their software development lifecycle. Something PayPal didn't mention in its post was that running the web server as a nonprivileged user without broad access to execute code on the system could have reduced the impact of the vulnerability being exploited for remote code execution.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read what a Java vulnerability report says about responsible disclosure
Learn how to adapt your infosec program to new risks
Find out if Java patching remains important or has become a pointless exercise
Dig Deeper on Microsoft Patch Tuesday and patch management
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading