Fix Version/s: SonarQube 8.4
Deserialization of untrusted data leading to vulnerabilities has been revealed a dozen of years ago and made popular in 2015 after Frohoff and Lawrence’s AppSecCali presentation Marshalling Pickles.
Despite the fact this vulnerability has been on the spotlights for quite some time now, it has not been eliminated yet and continue to be the topic of talks years after years during AppSec conferences:
- Defending against Java Deserialization Vulnerabilities - OWASP Meeting 2016
- Deserialization: what, how and why [not] - OWASP AppSec 2018 USA
- Automated Discovery of Deserialization Gadget Chains - BlackHat 2018
- (In)secure Deserialization, And How (Not) To Do It - OWASP AppSec 2019 Amsterdam - Alexei Kojenov
In parallel, tools allowing to create Gadgets (payload to be deserialized) are regularly maintaing showing that this vulnerability is still active and expoited:
CWE Top 25
Deserialization of Untrusted Data (CWE-502) is still part of the CWE Top 25 classification at the 23th position and as such we such cover it properly.
We already provide a rule for Java (RSPEC-5135). It is working well in some cases and we want to be sure it's working well is almost all cases and confirm we can detect past CVEs. We need to perform the same validation work we did for SQLi rule to guaranty a high level of quality.
The goal of this MMF is to be strong to detect Insecure Deserialization, meaning: