Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Oracle reveals issues in Object Serialization. Plans to drop it from core Java.

Save for later
  • 2 min read
  • 31 May 2018

article-image

The Java team is planning to remove the Java Serialization feature from core Java language. This is owing to some security issues with the object serialization API.

What is Java’s Object Serialization feature?


The Serialization API converts the message in a data communication system into a sequence of bytes which can be processed further. The sequence of bytes is made into an object and written in a Java file. This file can be read and deserialized to recreate the message in the memory.

Why is Oracle calling it a mistake?


Approximately one-third of all the vulnerabilities in the Java systems have serialization involved.

Mark Reinhold, chief Architect from Oracle mentioned that Oracle has been receiving reports that revealed the security weakness in Java Serialization. They have found a lot of applications servers receive serialization data streams on unprotected ports of a server. The attackers can use the easy use case of the serialized object and deserialize to recreate the object.

Adding to the overhaul, Reinhold called the serialization feature as a “horrible mistake” made in 1997.

To counteract these vulnerabilities, Oracle has added a filtering capability in Java to provide a defense mechanism for the network using serialization and receiving untrusted data streams.

Oracle also mentioned their plans to remove serialization from Java as a long-term plan under Project Amber, focussed on streamlining the release cycle of Java and to enhance the productivity of the Java language in the Java 11 release.

Looking ahead


To continue to support the serialization in Java language, Oracle is planning to add a Serialization feature that will enable object serialization in a safe way. The framework will also be developed to support graphs, that supports JSON or XML to provide serialization of any record.