View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 7, 2015

40 more software libraries hit by Java deserialistion bug

News: Issue with popular software libraries leaves apps exposed.

By Charlotte Henry

40 more software libraries may be affected by a Java deserialisation vulnerability than was originally thought, folllowing initial research by Foxglove Security.

The risk comes from apps not validating untrusted input before deserialisation, with this affecting all apps that accept serialised Java objects.

Various popular open source libraries are involved, including hadoop-mapreduce-client-core, Apache Directory API All, and Standalone Jar.

SourceClear’s Caleb Fenton wrote in a blog post that while the libraries themselves are not vulnerable, hackers could take control of app servers that run the affected libraries.

"Developers that use these libraries in their applications should be aware of the risk and should check carefully if they’re deserializing untrusted data," he said.

The initial research by Foxglove Security in November described the vulnerability as "The most underrated, underhyped vulnerability of 2015", and said that various popular products had, at the time the post was written, not been patched.

Fenton says that "the real underlying issue is that many established, popular, and well maintained applications were still deserializing user-supplied data."

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.