The Java Apocalypse of 2015 and 2016
Attacks via deserialization operations have been known since 2011, but they became everyone's problem
in early 2015 when two researchers — Chris Frohoff and Gabriel Lawrence — found a deserialization flaw in the Apache Commons Collection, a very popular Java application.
Researchers from Foxglove Security
expanded on the initial work in late 2015, showing how an attacker could use a deserialization flaw in Java applications where developers have incorrectly used the Apache Commons Collection library to handle deserialization operations.
Their experiments showed that an attacker could upload malicious data inside popular Java apps such as WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. This data would be serialized and stored in a database or in memory, but when the app would deserialize it to use the content of the serialized data, it would also execute additional malicious code on affected systems.
The flaw rocked the Java ecosystem in 2016, as it also affected
70 other Java libraries, and was even used to
compromise PayPal's servers.
Organizations such as
Apache,
Oracle,
Cisco,
Red Hat,
Jenkins,
VMWare,
IBM,
Intel,
Adobe,
HP, and
SolarWinds , all issued security patches to fix their products.
The Java deserialization flaw was so dangerous that
Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects.
Internally at Google, the flaw was referenced to as Mad Gadget, but the world referred to it as the Java Apocalypse.
