Re: Oracle plans to dump risky Java serialization | InfoWorld
interesting ..
Suddenly java gets passed by reference instead of value?
things like: (sounds dark magic to me ;) )
@Serializer
public pattern Range(int lo, int hi) {
lo = this.lo;
hi = this.hi;
}
On Wed, 12 Jun 2019 at 12:47, Martin Grigorov wrote:
> Current state:
> http://cr.openjdk.java.net/~briangoetz/amber/serialization.html
>
> On Sat, May 26, 2018 at 1:39 PM Martijn Dashorst <
> martijn.dasho...@gmail.com>
> wrote:
>
> >
> >
> >
> https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.amp.html?__twitter_impression=true
> >
> > Oracle plans to dump risky Java serialization
> > A “horrible mistake” from 1997, the Java object serialization capability
> > for encoding objects has serious security issues
> >
> > Paul Krill
> >
> > Getty Images
> > Oracle plans to drop from Java its serialization feature that has been a
> > thorn in the side when it comes to security. Also known as Java object
> > serialization, the feature is used for encoding objects into streams of
> > bytes. Used for lightweight persistence and communication via sockets or
> > Java RMI, serialization also supports the reconstruction of an object
> graph
> > from a stream.
> >
> > Removing serialization is a long-term goal and is part of Project Amber,
> > which is focused on productivity-oriented Java language features, says
> Mark
> > Reinhold, chief architect of the Java platform group at Oracle.
> >
> > To replace the current serialization technology, a small serialization
> > framework would be placed in the platform once records, the Java version
> of
> > data classes, are supported. The framework could support a graph of
> > records, and developers could plug in a serialization engine of their
> > choice, supporting formats such as JSON or XML, enabling serialization of
> > records in a safe way. But Reinhold cannot yet say which release of Java
> > will have the records capability.
> >
> > Serialization was a “horrible mistake” made in 1997, Reinhold says. He
> > estimates that at least a third—maybe even half—of Java vulnerabilities
> > have involved serialization. Serialization overall is brittle but holds
> the
> > appeal of being easy to use in simple use cases, Reinhold says.
> >
> > Recently, a filtering capability was added to Java so if serialization is
> > being used on a network and untrusted serialization data streams must be
> > accepted, there is a way to filter which classes can be mentioned, to
> > provide a defense mechanism against serialization’s security weaknesses.
> > Reinhold says Oracle has received many reports are received about
> > application servers running on the network with unprotected ports taking
> > serialization streams, which is why the filtering capability was
> developed.
> >
> >
>
Re: Oracle plans to dump risky Java serialization | InfoWorld
Thanks for sharing! On Wed, 12 Jun 2019 at 17:47, Martin Grigorov wrote: > > Current state: > http://cr.openjdk.java.net/~briangoetz/amber/serialization.html > > On Sat, May 26, 2018 at 1:39 PM Martijn Dashorst > wrote: > > > > > > > https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.amp.html?__twitter_impression=true > > > > Oracle plans to dump risky Java serialization > > A “horrible mistake” from 1997, the Java object serialization capability > > for encoding objects has serious security issues > > > > Paul Krill > > > > Getty Images > > Oracle plans to drop from Java its serialization feature that has been a > > thorn in the side when it comes to security. Also known as Java object > > serialization, the feature is used for encoding objects into streams of > > bytes. Used for lightweight persistence and communication via sockets or > > Java RMI, serialization also supports the reconstruction of an object graph > > from a stream. > > > > Removing serialization is a long-term goal and is part of Project Amber, > > which is focused on productivity-oriented Java language features, says Mark > > Reinhold, chief architect of the Java platform group at Oracle. > > > > To replace the current serialization technology, a small serialization > > framework would be placed in the platform once records, the Java version of > > data classes, are supported. The framework could support a graph of > > records, and developers could plug in a serialization engine of their > > choice, supporting formats such as JSON or XML, enabling serialization of > > records in a safe way. But Reinhold cannot yet say which release of Java > > will have the records capability. > > > > Serialization was a “horrible mistake” made in 1997, Reinhold says. He > > estimates that at least a third—maybe even half—of Java vulnerabilities > > have involved serialization. Serialization overall is brittle but holds the > > appeal of being easy to use in simple use cases, Reinhold says. > > > > Recently, a filtering capability was added to Java so if serialization is > > being used on a network and untrusted serialization data streams must be > > accepted, there is a way to filter which classes can be mentioned, to > > provide a defense mechanism against serialization’s security weaknesses. > > Reinhold says Oracle has received many reports are received about > > application servers running on the network with unprotected ports taking > > serialization streams, which is why the filtering capability was developed. > > > > -- WBR Maxim aka solomax
Re: Oracle plans to dump risky Java serialization | InfoWorld
Current state: http://cr.openjdk.java.net/~briangoetz/amber/serialization.html On Sat, May 26, 2018 at 1:39 PM Martijn Dashorst wrote: > > > https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.amp.html?__twitter_impression=true > > Oracle plans to dump risky Java serialization > A “horrible mistake” from 1997, the Java object serialization capability > for encoding objects has serious security issues > > Paul Krill > > Getty Images > Oracle plans to drop from Java its serialization feature that has been a > thorn in the side when it comes to security. Also known as Java object > serialization, the feature is used for encoding objects into streams of > bytes. Used for lightweight persistence and communication via sockets or > Java RMI, serialization also supports the reconstruction of an object graph > from a stream. > > Removing serialization is a long-term goal and is part of Project Amber, > which is focused on productivity-oriented Java language features, says Mark > Reinhold, chief architect of the Java platform group at Oracle. > > To replace the current serialization technology, a small serialization > framework would be placed in the platform once records, the Java version of > data classes, are supported. The framework could support a graph of > records, and developers could plug in a serialization engine of their > choice, supporting formats such as JSON or XML, enabling serialization of > records in a safe way. But Reinhold cannot yet say which release of Java > will have the records capability. > > Serialization was a “horrible mistake” made in 1997, Reinhold says. He > estimates that at least a third—maybe even half—of Java vulnerabilities > have involved serialization. Serialization overall is brittle but holds the > appeal of being easy to use in simple use cases, Reinhold says. > > Recently, a filtering capability was added to Java so if serialization is > being used on a network and untrusted serialization data streams must be > accepted, there is a way to filter which classes can be mentioned, to > provide a defense mechanism against serialization’s security weaknesses. > Reinhold says Oracle has received many reports are received about > application servers running on the network with unprotected ports taking > serialization streams, which is why the filtering capability was developed. > >
Oracle plans to dump risky Java serialization | InfoWorld
https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.amp.html?__twitter_impression=true Oracle plans to dump risky Java serialization A “horrible mistake” from 1997, the Java object serialization capability for encoding objects has serious security issues Paul Krill Getty Images Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes. Used for lightweight persistence and communication via sockets or Java RMI, serialization also supports the reconstruction of an object graph from a stream. Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle. To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a “horrible mistake” made in 1997, Reinhold says. He estimates that at least a third—maybe even half—of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says. Recently, a filtering capability was added to Java so if serialization is being used on a network and untrusted serialization data streams must be accepted, there is a way to filter which classes can be mentioned, to provide a defense mechanism against serialization’s security weaknesses. Reinhold says Oracle has received many reports are received about application servers running on the network with unprotected ports taking serialization streams, which is why the filtering capability was developed.
