Severity
🔴 Critical - Remote Code Execution vulnerability
Location
File: /home/sfloess/Development/github/FlossWare/commons-java/src/main/java/org/flossware/commons/util/StringUtil.java:397
Vulnerability Description
The ObjectInputFilter implementation allows all array types with className.startsWith("[L"), which permits deserialization of arrays containing untrusted classes (e.g., [Lcom.evil.Exploit;).
An attacker could bypass the package whitelist by wrapping malicious objects in arrays, leading to Remote Code Execution.
Technical Details
The current filter validates array types by checking the prefix [L, but does not validate the component type of the array. This means:
- ✅ Allowed:
[Ljava.lang.String; (array of String)
- ❌ Should block but doesn't:
[Lcom.evil.Exploit; (array of malicious class)
- ❌ Should block but doesn't:
[[Lcom.evil.Exploit; (2D array of malicious class)
Impact
- Attack Vector: Deserialization of untrusted data
- Consequence: Remote Code Execution (RCE)
- CVSS: Critical (likely 9.0+)
- CWE: CWE-502 (Deserialization of Untrusted Data)
Affected Code
The vulnerability is in the ObjectInputFilter implementation that only checks array prefix without validating component types.
Recommended Fix
The filter should:
- Extract the component type from array class names
- Validate that the component type is in the allowed package list
- Recursively validate multi-dimensional arrays
Example fix:
// Extract component type from array notation
String componentType = className;
while (componentType.startsWith("[")) {
if (componentType.startsWith("[L") && componentType.endsWith(";")) {
componentType = componentType.substring(2, componentType.length() - 1);
} else {
break; // Primitive array like [I, [B, etc.
}
}
// Then validate componentType against whitelistSecurity Standards
Per OWASP and project security policy:
- OWASP Dependency Check threshold: CVSS 7.0
- This vulnerability exceeds that threshold
- Immediate remediation required
References
Priority: P0 - Critical security vulnerability requiring immediate attention
Severity
🔴 Critical - Remote Code Execution vulnerability
Location
File:
/home/sfloess/Development/github/FlossWare/commons-java/src/main/java/org/flossware/commons/util/StringUtil.java:397Vulnerability Description
The
ObjectInputFilterimplementation allows all array types withclassName.startsWith("[L"), which permits deserialization of arrays containing untrusted classes (e.g.,[Lcom.evil.Exploit;).An attacker could bypass the package whitelist by wrapping malicious objects in arrays, leading to Remote Code Execution.
Technical Details
The current filter validates array types by checking the prefix
[L, but does not validate the component type of the array. This means:[Ljava.lang.String;(array of String)[Lcom.evil.Exploit;(array of malicious class)[[Lcom.evil.Exploit;(2D array of malicious class)Impact
Affected Code
The vulnerability is in the
ObjectInputFilterimplementation that only checks array prefix without validating component types.Recommended Fix
The filter should:
Example fix:
Security Standards
Per OWASP and project security policy:
References
Priority: P0 - Critical security vulnerability requiring immediate attention