LiveActive security incident?Get immediate response
CWE Reference

CWE-594: J2EE Framework: Saving Unserializable Objects to… | Glexia

CWE-594 (J2EE Framework: Saving Unserializable Objects to Disk) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK…

Release 4.20weaknessIncomplete

Glexia's Take · Automated analysis

CWE-594: J2EE Framework: Saving Unserializable Objects to Disk

J2EE Framework: Saving Unserializable Objects to Disk represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Integrity: Modify Application Data: Data represented by unserializable objects can be corrupted.
  • Availability: DoS: Crash, Exit, or Restart: Non-serializability of objects can lead to system crash.

Developer Pattern

CWE-594 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Automation confidence

high confidence from CWE-594, 4.20.

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Official CWE Definition

CWE-594: J2EE Framework: Saving Unserializable Objects to Disk

When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.

In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk when required. While these application frameworks do the real work of writing objects to disk, they do not enforce that those objects be serializable, thus leaving the web application vulnerable to crashes induced by serialization failure. An attacker may be able to mount a denial of service attack by sending enough requests to the server to force the web application to save objects to disk.

Type
weakness
Abstraction
Variant
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • In the following Java example, a Customer Entity JavaBean provides access to customer information in a database for a business application. The Customer Entity JavaBean is used as a session scoped object to return customer information to a Session EJB. However, the Customer Entity JavaBean is an unserialized object which can cause serialization failure and crash the application when the J2EE container attempts to write the object to the system. Session scoped objects must implement the Serializable interface to ensure that the objects serialize properly.

Remediation

  • Architecture and Design,Implementation: All objects that become part of session and application scope must implement the java.io.Serializable interface to ensure serializability of containing objects.

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.