Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
maasd Contributor.
Contributor.
2758 views

Dynamic Code Evaluation: Unsafe Deserialization

We are getting these findings on classes that are not serializable.  Why is this an issue?

Labels (1)
Tags (3)
0 Likes
3 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Dynamic Code Evaluation: Unsafe Deserialization

This difficult to answer witihout any details as you can imagine.

Would it be possible for you to open a support ticket and add some example?

 

0 Likes
Valued Contributor.. markberrier Valued Contributor..
Valued Contributor..

Re: Dynamic Code Evaluation: Unsafe Deserialization

Is there an update to this that you can share back to the forum?
0 Likes
maasd Contributor.
Contributor.

Re: Dynamic Code Evaluation: Unsafe Deserialization

This is adapted from a java file:

class a implements b {
…
}

Interface b extends interface c which does not extend anything.  None of the interfaces implements the serializable interface.  A comment at the top of c’s java file says: “Generic JMX Hook (interface) .  Only methods defined here get exposed in JMX Server”

 

Fortify finds “Dynamic code evaluation: unsafe deserialization” on the “class a implements b” line.  The Analysis Trace only lists that line.  The Primary Rule ID is 6A61FD4B-B019-4678-9609-0700F2FCAFDA if that helps.

 

I’m not a Java guru, but I don’t understand why Fortify says unsafe deserialization is an issue if the class is not serializable.  Does JMX have something to do with it?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.