Must-share information (formatted with Markdown):
- which versions are you using : Sonarqube 9.4
- what are you trying to achieve:
On scanning our code, a vulnerability was reported:
"Object deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.
Libraries developers tend to fix class that provided potential malicious trigger. There are still classes that are known to trigger Denial of Service[1].
Deserialization is a sensible operation that has a great history of vulnerabilities. The web application might become vulnerable as soon as a new vulnerability is found in the Java Virtual Machine[2] [3].
"
Fixing this by using filters as mentioned in the Oracle documentation does not help as the vulnerability still persists in the next scan.
We are using openjdk version 17
- what have you tried so far to achieve this
try (ByteArrayInputStream bis = new ByteArrayInputStream(obj); ObjectInputStream in = new ObjectInputStream(bis)
{
84 … in.setObjectInputFilter(ObjectInputFilter.Config.createFilter(“com.xx.xxx.xxxx.xxxx.;java.lang.;java.util.;org.jdom.;!*”));
