Deserialization of Untrusted Data

Summary

ZDRES-232 (Issue): resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDKs ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class, bypassing the accepted classes list . ZDRES-233 (Issue): Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes Assessment: Fully addressed. For ANY class on the allow-list, deserialising a stream that names it triggers the classs (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept(com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes <clinit> of SomeClass and many real-world classes have side-effecting static initialisers Both issues are part of this CVE and have been fixed. This affects versions prior to 2.0.29, 2.1.x prior to 2.1.13, and 2.2.x prior to 2.2.8.