Unsafe Deserialization via RMI Parameter Types
Description
Java RMI interface declares methods with arbitrary object parameters, allowing unsafe deserialization if the remote caller sends crafted objects. This can lead to remote code execution via deserialization, often exploitable via gadgets on the classpath.
Examples
Insecure Code
java
interface MyRemote extends Remote {
void sendObject(Object obj) throws RemoteException;
}Secure Code
java
interface MyRemote extends Remote {
void sendId(String ticketId) throws RemoteException;
}Remediation
Only use primitive or safe types (String, int, etc.) and avoid exposing methods that accept arbitrary objects.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0500 |
| Category | Deserialization |
| Severity | MEDIUM |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | insecure deserialization, rmi, java |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |