MID-077: Secure Deserialization

Mitigation Tier: Foundational

Description

Serialized data should not be implicitly trusted. To check for the structure and contents of serialized data, that data needs to be deserialized, which could cause vulnerable code to run. For example, data that is serialized in a legitimately valid format may still include data that is unsafe and can lead to code injection. Input validation against the serialization format is insufficient defense in this case.

When its use cannot be avoided, serialized data’s authenticity should be checked prior to performing deserialization, such as signing it to verify the authenticity of the origin of the data. Additionally, if data needs to be serialized/deserialized, simpler structures and formats should be preferred that are easier to verify for safety prior to deserialization.

IEC 62443 4-2 Mappings

• CR 3.5 - Input validation 

• SAR / EDR / HDR / NDR 3.2 – Protection from malicious code

References

[1] OWASP. “Deserialization Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

[2] B. Vermeer. “Serialization and deserialization in Java: explaining the Java deserialize vulnerability.” synk.io. Accessed: Aug. 28, 2024. [Online.] Available: https://snyk.io/blog/serialization-and-deserialization-in-java/

MID-077