CWE-594: J2EE Framework: Saving Unserializable Objects to… | Glexia
CWE-594 (J2EE Framework: Saving Unserializable Objects to Disk) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK…
Glexia's Take · Automated analysis
CWE-594: J2EE Framework: Saving Unserializable Objects to Disk
J2EE Framework: Saving Unserializable Objects to Disk represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Integrity: Modify Application Data: Data represented by unserializable objects can be corrupted.
- Availability: DoS: Crash, Exit, or Restart: Non-serializability of objects can lead to system crash.
Developer Pattern
CWE-594 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Automation confidence
high confidence from CWE-594, 4.20.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Official CWE Definition
CWE-594: J2EE Framework: Saving Unserializable Objects to Disk
When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.
In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk when required. While these application frameworks do the real work of writing objects to disk, they do not enforce that those objects be serializable, thus leaving the web application vulnerable to crashes induced by serialization failure. An attacker may be able to mount a denial of service attack by sending enough requests to the server to force the web application to save objects to disk.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- In the following Java example, a Customer Entity JavaBean provides access to customer information in a database for a business application. The Customer Entity JavaBean is used as a session scoped object to return customer information to a Session EJB. However, the Customer Entity JavaBean is an unserialized object which can cause serialization failure and crash the application when the J2EE container attempts to write the object to the system. Session scoped objects must implement the Serializable interface to ensure that the objects serialize properly.
Remediation
- Architecture and Design,Implementation: All objects that become part of session and application scope must implement the java.io.Serializable interface to ensure serializability of containing objects.
Detection
- Code review
- SAST
- DAST
- Focused regression tests
Mappings
Related CVEs, CWEs, and ATT&CK context
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.
