CLASSIFICATION: UNCLASSIFIED We played with CWE-499 for a while and couldn't get variables that don't explicitly disable serialization to serialize (a statement in the CWE and implied by the example) without using reflection; however, using reflection, you can change the scope of internal variables (eg: making them public instead of private) so that they can be serialized again anyways.
Should CWE-499 be rewritten to match more closely with SER03-J (https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data)? Even if it is, don't the protections afforded by implementing SER03-J still become pointless when reflection is used? We plan to publish a more verbose walkthrough of this issue Monday of next week (https://github.com/squinky86/SwATips/blob/main/html/articles/20210830.pdf), but I wanted to make sure we weren't missing something. Any chance someone with more Java knowledge can take a look at it before Monday? TIA! Jon CLASSIFICATION: UNCLASSIFIED
smime.p7s
Description: S/MIME cryptographic signature