How to find and fix Java RMI deserialization vulnerabilities
Java RMI uses the default Java deserialization mechanism for passing parameters during remote method invocations. In other words, RMI uses ObjectInputStream that is a well-known unsafe deserialization mechanism. If an attacker can find and send a deserialization gadget to a vulnerable remote method, in the worst case it can result in arbitrary code execution.
I recently wrote a CodeQL query that looks for dangerous remote objects registered in an RMI registry. This post describes the vulnerability and how the query works.
Luckily, not all RMI methods are vulnerable. Making a long story shorter, to be vulnerable, a remote method has…
How to use CodeQL to find EL injections and fix them
Recently I wrote a post about detecting JEXL injections with CodeQL. JEXL is a library that provides an interpreter for a simple expression language (EL). This time, I’ll talk about injections with Jakarta Expression Language, and how they can be found with CodeQL.
What is Jakarta Expression Language?
Among other things, Jakarta EE contains a specification for an expression language (EL) and defines API for interpreters. The Jakarta EL is a special-purpose programming language that is mostly used in web applications for embedding and evaluating expressions in web pages. But the interpreter may be simply used anywhere else. …
Recently WhiteSource security scanner started reporting WS-2016-7107 against Spring-based applications. This is an old issue in Spring Security that was reported in 2016. Unfortunately, at the moment of writing it, the issue has not been fixed yet. But there is a pull request that should address it. The problem is that CSRF tokens generated by Spring Security are vulnerable to the BREACH attack. The attack is even older — it was published in 2013. The BREACH attack is similar to the CRIME attack but BREACH doesn’t need TLS compression.
There are several conditions for a successful attack:
- The attacker should…
Сел в поезд. Стыдно признаться — в купейный вагон. Последнее время чаще себя балую. Но и цена радует, ведь она такая же, как в плацкартном вагоне, в котором я ехал позавчера. Наверное то был поезд фирменный, а этот какой-нибудь пассажирский, второсортный. И еще вагон древний. Или как кто-то скажет — ламповый. Я давно в таких не ездил. Вокруг всё такое алюминиевое, кожезаменительное, хлопчатобумажное. Подушка завернута в полосатый матрас. Кипятильник масляной краской выкрашен. Металлический унитаз с педалькой. Нажмешь её, и в дырочку видно бегущие под вагоном шпалы. Однако, всё же заметно, что вагон когда-то был модернизирован. После этого купе лишились антресолей…
How to make sure that CVE-2016-1000027 does not affect your application
In this blog post, I’ll talk about detecting unsafe Spring Exporters with a CodeQL query. First, I’ll describe the issue that received CVE-2016-1000027. Next, I’ll show what a vulnerable code looks like and how the issue can be mitigated in an application. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.
What is a Spring exporter?
The Spring Framework provides classes for exporting a service bean as an endpoint. Service exporters read data from an incoming request and then pass the data to the underlying bean. …
How to detect JEXL injections with CodeQL
In this article, I’ll discuss a CodeQL query for detecting JEXL Expression Language injection vulnerabilities.
First, I’ll give a brief overview of expression languages in general and JEXL in particular. I’ll also explain what Expression Language injection is and how to prevent it. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a few vulnerabilities that have been found by the query.
What Is Expression Language?
Expression Language (EL) is a general-purpose programming language mostly used for embedding and evaluating expressions at runtime. Most often, ELs are interpreted languages. In other words, there is an interpreter that prepares an execution context…
A photoresistor or a light-dependent resistor (LDR) is a resistor that changes its value (resistance) depending on light intensity. More precisely, when light falls upon it, the resistance decreases. It is normally used as a light or dark detector. For example, it may be used in a circuit that turns lights in a room on when it gets dark. Let’s see how we use a photoresistor with ESP32 and MicroPython.
Circuit for photoresistor and ESP32
In the previous posts, I described a simple weather station that measures temperature and humidity and sends the measurements to a Google sheet. The system is supposed to be used at home. Therefore, one of the next possible improvements can be measuring air quality in a room. That can be done, for example, by adding an MH-Z19B sensor for measuring CO2 level. We’ll use again a ESP32 board and MicroPython.
Preparation
The device is based on a simple weather station that I described in the following two posts:
New switch expressions, friendly NPEs and more
Java 14 is released on March 17th, 2020. Let’s take a look at what is inside, and what makes new Java different from the older versions. Here is an overview of the major updates:
- Switch Expressions
- Helpful NullPointerExceptions
- Packaging Tool (Incubator)
- Language preview features: Pattern Matching for
instanceof, Records, Text Blocks - Garbage collection: ZGC on macOS and Windows, NUMA-Aware Memory Allocation for G1, Remove the Concurrent Mark Sweep (CMS) Garbage Collector, Deprecate the ParallelScavenge + SerialOld GC Combination,
- Removal and deprecation: Deprecate the Solaris and SPARC Ports, Remove the Pack200 Tools and API
- Other: Foreign-Memory Access API (Incubator), Non-Volatile Mapped…
Artem Smotrakov
I write about Java, security, electronics and DIY
