[
https://issues.apache.org/jira/browse/GEODE-10514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang deleted GEODE-10514:
---------------------------------
> Enhance Session Attribute Handling with Input Validation
> --------------------------------------------------------
>
> Key: GEODE-10514
> URL: https://issues.apache.org/jira/browse/GEODE-10514
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
>
> h2. Summary
> Add input validation and filtering capabilities to the Geode session
> management module. This enhancement introduces a validation framework based
> on industry-standard security practices (ysoserial, OWASP) while maintaining
> full backward compatibility.
> h3. Blocklist Methodology
> The blocklist is based on authoritative security research:
> *Primary Sources:*
> # [ysoserial|https://github.com/frohoff/ysoserial] - Canonical gadget chain
> database (40+ exploits)
> # [OWASP Deserialization Cheat
> Sheet|https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html]
> - Industry best practices
> # CVE Database - Known vulnerabilities with proof-of-concept exploits
> # Security advisories from Apache, Spring, Oracle
> *Blocked Categories:*
> |Category|Examples|Reason|CVE References|
> |Commons Collections|InvokerTransformer, ChainedTransformer|Arbitrary method
> invocation|CVE-2015-7501|
> |Spring Internals|ObjectFactory, BeanFactory|Bean instantiation
> exploits|CVE-2016-1000027|
> |JDK Classes|TemplatesImpl, Proxy|Bytecode loading, dynamic
> proxies|CVE-2015-4852|
> |Scripting Engines|Groovy closures, JavaScript|Script execution
> capabilities|Various|
> |Connection Pools|C3P0, DBCP|JNDI injection vectors|CVE-2019-5427|
> |RMI/JNDI|UnicastRef, ReferenceWrapper|Remote object lookups|CVE-2016-3427|
> h3. Allowlist Methodology
> The allowlist includes classes proven safe for deserialization:
> *Included Categories:*
> # Standard Java types (String, primitives, Collections)
> # Immutable data structures (UUID, LocalDate, Optional)
> # Geode internal classes (PDX, Region, etc.)
> # Framework classes with no gadget chains
> *NOT Included (and why):*
> {*}Jackson ({{{}com.fasterxml..jackson.{}}}{*}):*
> * *Should NOT be blocked* - Jackson is not a gadget chain
> * Different vulnerability domain (JSON parsing vs Java serialization)
> * Extensively used in Geode (96+ usages in core, GFSH, management API)
> * Zero entries in ysoserial's 40+ exploit payloads
> * Blocking would break legitimate functionality
> h2. Security Research References
> h3. Primary Sources
> *ysoserial Project:*
> * URL: [https://github.com/frohoff/ysoserial]
> * Description: Canonical collection of Java deserialization exploits
> * Content: 40+ proven gadget chain payloads
> * Usage: Defines our blocklist of dangerous classes
> *OWASP Deserialization Cheat Sheet:*
> * URL:
> [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html]
> * Description: Industry best practices for secure deserialization
> * Guidance: Defense-in-depth, allowlisting, monitoring
> *OWASP Top 10:*
> * URL:
> [https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization]
> * Status: A8:2017 - Insecure Deserialization
> * Severity: Critical
> h3. CVE References
> |CVE ID|Component|Description|Exploitability|
> |CVE-2015-7501|Commons Collections|InvokerTransformer RCE|Widely exploited|
> |CVE-2015-4852|WebLogic/TemplatesImpl|Bytecode injection RCE|Active
> exploitation|
> |CVE-2016-1000027|Spring Framework|JtaTransactionManager RCE|Known exploits|
> |CVE-2019-5427|C3P0|JNDI injection RCE|Proof-of-concept available|
> |CVE-2017-5638|Apache Struts|OGNL deserialization|Equifax breach (2017)|
> h3. Academic Research
> *"Marshalling Pickles" (Black Hat 2017):*
> * Comprehensive analysis of serialization vulnerabilities
> * Surveyed 30+ libraries for gadget chains
> * Established classification framework
> *"Serial Killer" (Code White Security):*
> * Open-source deserialization firewall
> * Reference implementation for filtering
> * URL: [https://github.com/ikkisoft/SerialKiller]
> *Foxglove Security Research:*
> * Original disclosure of Commons Collections exploit
> * Real-world impact analysis
> * URL:
> [https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/]
> h3. Risk of Implementing
> *Compatibility Risk: LOW*
> * Fully backward compatible design
> * No API changes required
> * Comprehensive test coverage
> *Performance Risk: LOW*
> * Measured overhead < 2ms
> * Negligible impact on session operations
> * One-time initialization cost
> *Operational Risk: LOW*
> * Secure defaults require no configuration
> * Clear documentation and examples
> * Monitoring capabilities included
> *Overall Implementation Risk: LOW*
> h2. Compliance and Standards
> h3. Security Frameworks
> *OWASP Compliance:*
> * Addresses A8:2017 - Insecure Deserialization
> * Implements recommended defense-in-depth
> * Follows input validation best practices
> *NIST Cybersecurity Framework:*
> * Identify: Recognizes deserialization as attack vector
> * Protect: Implements filtering controls
> * Detect: Provides logging and monitoring
> * Respond: Enables security incident investigation
> *CWE Mitigation:*
> * CWE-502: Deserialization of Untrusted Data
> * Implements recommended safeguards
> * Defense-in-depth approach
> h3. Industry Standards
> *PCI-DSS 3.2.1:*
> * Requirement 6.5.8: Secure coding practices
> * Input validation on untrusted data
> * Protection against common vulnerabilities
> *SOC 2 Type II:*
> * CC6.1: Logical and physical access controls
> * CC7.2: System monitoring and detection
> * CC9.2: Risk mitigation procedures
> h3. Estimated Timeline
> * Code review completion: 1-2 weeks
> * Merge to develop: Immediately after approval
> * Next release: According to Geode release schedule
> * Backporting: Consider for supported versions (if critical)
>
> h2. Related Work
> * GEODE-10466: Jakarta EE 10 migration (related PR #7940)
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
