Deserialization Issues Also Affect
.NET, Not Just Java (bleepingcomputer.com)
41
"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.
Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.
Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.
Simpler solution (Score:2, Insightful)
Just don't use JSON or XML. You can thank me later.
Re: (Score:2)
So what do you recommend instead?
Re: (Score:1)
Re: Simpler solution (Score:1)
"What do you recommend?"
"Don't do anything."
Fuck off, troll.
Re: (Score:2)
That doesn't really answer the question I asked.
Re: Simpler solution (Score:2)
Re: (Score:3)
Serialization without using one of these standards is going back to the bad old days of proprietary silos. You must work for Sony.
Re: (Score:2)
JSON or YAML are probably both fine. XML is simply wasteful and unnecessary. Personally I think we should be using something like s-expressions (lisp-like). People hate them because of the parens but every other encoding has as many negative points in different ways. The advantage is that the syntax is far simpler to understand and parse leading to safer software. Some might say that having an "executable" format is bad but I'd point to bugs like this as being proof that even "text" formats are just ex
Re: Simpler solution (Score:1)
ASN.1
Real Developers never Deserialize into objects (Score:3, Insightful)
Agree. (Score:1)
It appears that the market is flooded with developers who can write scripts but not algorithms. They believe that something like parsing JSON is really hard and complicated, that any home-grown solution to doing that will be extremely buggy and slow, all because they themselves haven't taken the mental step-up.
Of course, this mental step-up used to be a standard part of a CS degree. College students would be writing code that does this sort of thing as homework. This has changed, and I have seen the chan
Re: (Score:2)
I ask them questions about their courses in algorithms and what they did, and they say things like "we learned what the foundational algorithms are and how to compare their performance." Did you actually write a merge sort? "No, there's no need because every major language has that sort of thing built in."
Consider me a cultist follower of your hypothesis. 20 years in CS, the last 10 I have seen it take a sharp dive. The only explanation I have is the explosion over 15 years ago in OSS and that what you espouse is true: Everyone thinks they can develop or engineer, because the code is tied up in nice little solution blocks.
Need a sort algo? Just codeproject.com
Need some bi-directional comm between remotes? Just github.com...etc....
The number of people I have turned away in the first two days of testing, wh
Not a .NET problem (Score:1)
This is a programming problem that can happen anywhere. No language is immune. No project is automatically secure from exploits, or able to patch framework universally for all deployments.
Java and
.NET will always have security issues, along with literally every other programming language. Anyone shocked, surprised, upset, or hostile to that concept is in the wrong profession.
Assume everything is compromised. Assume nothing is secure. Design around that assumption and you will survive.
Re: Not a .NET problem (Score:2)
Re: (Score:2)
Re: (Score:2)
Data by itself doesn't do much. The way to think about data is that it is being fed into a machine that is doing stuff. That means I can program the internal state of that machine using data. Normally we just call this "processing" but bugs like this illustrate that you have to be very careful with how you handle state. Even for "simple" formats that are just "text" like JSON, XML, YAML, and everything else. Image (binary) formats are also not immune as there have been browser attacks using bugs in com
Yeah, serialization can be annoying. (Score:2)
I'm kind of surprised this hasn't already built into a more prominent issue over time.
Performance issues I can stomach - there's going to be some unavoidable parsing logic no matter how you go at translating from runtime to storage or network logic - but instead, large swaths of objects just get ignored in major libraries. When using unity, for instance, can't serialize dictionaries, and many other objects in the default serializer - which is a major oversight.
Google actually has provided some rather nice
Re: (Score:2)
I've looked at protocol buffers but everything I've ever read about people actually using them in production says they are a nightmare over time because they are binary. Supposedly the object versioning alleviates some of this but I think people were complaining about how to deal with mandatory fields over time. I can't remember but I suspect this plus JavaScript being in the browser is what makes JSON so prevalent. I have no idea why XML is used. I can't even think of a single advantage it has over any
Free time =/= 20% time (Score:2)
Re: (Score:2)
Personally I think "exposing" objects is the problem. Your border should be a mailbox that exchanges messages and those messages should be inspected carefully before internal delivery. I have no idea why people want to dump a class they wrote onto a live internet service and just hope that it dumps data into the correct table somewhere. They dragged the "security api" icon onto the project space so it's secure.
JSON does not have code-execution ability (Score:2, Insightful)
JSON only defines a bunch of basic data types. It defines no ability to run anything. These bugs are in (de)serialization layer above it, which uses JSON as a transport and extend the meaning of the data stored to be able to deserialize higher-level objects.
JSON or XML are not the problem here. The same problem could happen if you serialized to CSV or TXT or anything else for that matter.