When the application does not implement controls over the JMS object types, its clients could be able to force the deserialization of arbitrary
objects. This may lead to deserialization injection attacks.
What is the potential impact?
Attackers will be able to force the deserialization of arbitrary objects. This process will trigger the execution of magic unmarshalling methods on
the object and its properties. With a specially crafted serialized object, the attackers can exploit those magic methods to achieve malicious
purposes.
While the exact impact depends on the types available in the execution context at the time of deserialization, such an attack can generally lead to
the execution of arbitrary code on the application server.
Application-specific attacks
By exploiting the behavior of some of the application-defined types and objects, the attacker could manage to affect the application’s business
logic. The exact consequences will depend on the application’s nature:
- Payment bypass in an e-commerce application.
- Privilege escalation.
- Unauthorized users' data access.
Publicly-known exploitation
In some cases, depending on the library the application uses and their versions, there may exist publicly known deserialization attack payloads
known as gadget chains. In general, they are designed to have severe consequences, such as:
- Arbitrary code execution
- Arbitrary file read or write
- Server-side request forgery
Those attacks are independent of the application’s own logic and from the types it specifies.
