Detecting Jackson deserialization vulnerabilities with CodeQL

[Artem Smotrakov]

Hi All,

You might have heard about deserialization vulnerabilities. If you use Jackson libraries and run a security scanner, you might have received quite a lot of alerts about deserialization vulnerabilities. Those finding are quite often false alerts because application often use Jackson in a safe way. But sometimes they don't, and deserialization attacks becomes a real threat. Now the real issues in applications can be detected with CodeQL. In case you don’t know, CodeQL is a code analysis engine. I recently updated the java/unsafe-deserialization query to cover Jackson as well

https://github.com/github/codeql/blob/3b676d432f4ccc02588147f8db21bae6d73136e9/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql

The query checks the conditions for unsafe deserialization that Tatu described earlier

https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

I also wrote a short blog post about the query

https://blog.gypsyengineer.com/en/security/detecting-jackson-deserialization-vulnerabilities-with-codeql.html

Artem

[Tatu Saloranta]

Thank you for sharing this! This looks very interesting,

-+ Tatu +-

>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/2e60fbb4-746b-42e1-8f68-c3f6de4067abn%40googlegroups.com.