J2EE Framework: Saving Unserializable Objects to Disk

Incomplete Variant

Structure: Simple

Description

This vulnerability occurs when a J2EE application framework attempts to save objects to disk that cannot be properly serialized, risking application failure.

Extended Description

To handle high traffic, J2EE frameworks often move objects from memory to disk. This includes session and application data. However, these frameworks don't always verify that the objects are serializable first. When the system tries to write an unserializable object, the serialization process fails, which can crash the application or cause unpredictable behavior. An attacker can exploit this weakness to cause a denial of service. By flooding the server with requests, they can trigger the framework's disk-writing mechanism. If enough unserializable objects are forced to disk, the repeated serialization failures can overwhelm the application, making it unavailable to legitimate users.

Common Consequences 2

Scope: Integrity

Impact: Modify Application Data

Data represented by unserializable objects can be corrupted.

Scope: Availability

Impact: DoS: Crash, Exit, or Restart

Non-serializability of objects can lead to system crash.

Potential Mitigations 1

Phase: Architecture and DesignImplementation

All objects that become part of session and application scope must implement the java.io.Serializable interface to ensure serializability of containing objects.

Demonstrative Examples 1

In the following Java example, a Customer Entity JavaBean provides access to customer information in a database for a business application. The Customer Entity JavaBean is used as a session scoped object to return customer information to a Session EJB.

Code Example:Bad
Java
java

However, the Customer Entity JavaBean is an unserialized object which can cause serialization failure and crash the application when the J2EE container attempts to write the object to the system. Session scoped objects must implement the Serializable interface to ensure that the objects serialize properly.

Code Example:Good
Java
java

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Insufficient Adherence to Expected Conventions (CWE-1076)

Taxonomy Mapping

Software Fault Patterns