40 more software libraries may be affected by a Java deserialisation vulnerability than was originally thought, folllowing initial research by Foxglove Security.
The risk comes from apps not validating untrusted input before deserialisation, with this affecting all apps that accept serialised Java objects.
Various popular open source libraries are involved, including hadoop-mapreduce-client-core, Apache Directory API All, and Standalone Jar.
SourceClear’s Caleb Fenton wrote in a blog post that while the libraries themselves are not vulnerable, hackers could take control of app servers that run the affected libraries.
"Developers that use these libraries in their applications should be aware of the risk and should check carefully if they’re deserializing untrusted data," he said.
The initial research by Foxglove Security in November described the vulnerability as "The most underrated, underhyped vulnerability of 2015", and said that various popular products had, at the time the post was written, not been patched.
Fenton says that "the real underlying issue is that many established, popular, and well maintained applications were still deserializing user-supplied data."