Uh oh. I may have a new Beetlejuice AU to write a fanfic for alongside LoopJuice.

Basically, the Maitlands are alive and family friends of the Deetz, and Emily still passes away, but in a car accident involving another family friend, Lawerence, whose body was never found. A year after that, Lydia stumbles upon her dear friend wandering through a graveyard.

But it isn’t him.

It’s a demon named Beetlejuice possessing his dead body.

My Episode 7 Predictions!

Mother of God! How have these weeks passed by so fast?! I've decided to share what I think will be answered tomorrow night and some of the fates of our beloved characters! The series has gotten off to an even bigger success than it's predecessor and EVERYONE'S talking about it! Without further ado, let's see what I'm predicting!

Who's H/fourth man (or woman) and will we find out?

The question that's on the nation's minds. That has been boggling us since 2017... My personal prediction still stands as CC Philip Osborne, however... I think he's purely sitting on his arse and pulling the strings, whilst others are doing his dirty work. Those people are Patricia Carmichael: who in all honesty I'm manifesting isn't actually bent but is so career driven and a bit of a lick arse that she's just taking orders and not questioning anything, plus she doesn't think much of Ted either... I have joked that she's been shagging Osborne on the side which would be quite funny. I also believe Buckells has been Osborne's true scape goat for years. Someone as laid-back and unpassionate as Buckells is easily manipulated - I mean how the hell has he become a super? As Steve rightfully says, he couldn't order a piss up in a brewery. Seeing the connections go well back into the early noughties whilst Buckells was part of an oasis tribute band, it's an easy conclusion to make. Lastly I will mention Thurwell, now I think Thurwell may have been more involved on his own doing anyway but I think he'd still been pretty busy doing things on behalf of Osborne up until his alleged death in sunny Spain (Belfast but shh). I know a lot of people still think Buckells, some reckon pas-agg Pat is the top woman... and a few still think our beloved Kate is 'H'.

Now the other part of my point is actually finding out... I think us as viewers will certainly know the identity of this mysterious individual. But, I think we'll find out in the very last few seconds and poor AC12 won't be any the wiser which will open up the foundations for a possible series 7. I think a lot of things will be answered for us viewers but not everything for the characters. I know that if they had a series 7 there would be an other primary focus but I just think it would be clever. Just like how we found out as viewers at the end of series 1 that Dot was a wrong'un.

Is Thurwell really dead?

I'm still very amazed by the whole induction of Jimmy Nesbitt as a series of photos. I know we were supposed to have a secretive guest actor appearance and I believe it was Robert Carlyle's name floating about which would have been insane! But that moment we saw Jimmy, I yelled at the screen. So, this answers the question of seeing a character that had only been mentioned previously - which has been very much hiding in plain sight. Even with a rewatch, I had forgotten about Thurwell and therefore hadn't even considered him. But, I did mention the list from series 3 which did loosely tie in. Anyway, when we learned that Thurwell and his Mrs were now dead and clearly had been for a while - it was cleverly shot so we didn't see who it was, only the Spanish Police's word. You know, I think if we were to get a series 7, Thurwell could appear and he's in fact not dead. It's very rare you get a very well known actor in for something so small without it leading to bigger things. Although, they got Andi Osho, a very much loved comedian in purely for archival photos and videos... I do feel that Thurwell could have easily been on the other end of the fake MSN, and doing Osborne's dirty work - especially with the Spanish connection. In a BTS photo we have seen a clue to a piece of paperwork regarding a time share (Spain mentioned) in front of Kate which will likely have a connection to Thurwell and Spain. I think he's possibly still alive but we'll see...

Joanne Davidson

Kelly Macdonald has been welcomed with a very warm reception. Wow, her connection to Tommy Hunter (albeit disturbing, homozygous DNA... nasty business) was not something I ever expected although I guessed very much so when we learned of the DNA match with a nominal. Would I define her as bent? I mean in layman's terms, yes she is. However each guest star has had a very complicated relationship with the definition - all have done dodgy things and usually for good reason... But I do sympathise with her because of her background, born into trouble, it was very hard to escape - even if her mum took her to Scotland for a life away from it all. From the very start of her career she was doing the OCG's bidding and it transpires she was in the police on Tommy's orders - so very much another caddy. I do feel Jo had always wanted to be a good person and do right and in some ways she did - however she's in too deep. Next I'll mention her relationship with Kate and it's something I'd never have predicted. A lot of suggestive and sapphic behaviour from the off. Now, I do think Jo cares deeply for Kate and has developed strong feelings - and I think Kate deep down has also but I don't think anything will happen sadly. And that's more for the fact that they had run out of track before they could even get going as so much has happened. Kate's gonna save Jo when her transport gets ambushed, that's a given... but I don't think we'll see anything happen that we want to happen. I hope I'm very wrong and we get something but with the hour we've got I don't think it'll be the case. And as for her fate? I think she'll survive. Guest leads usually die, eventually... with the exception of Roz who's serving time with one arm in Brentiss. Giving how unfortunate her life has been from her conception, I think it'll do her justice to escape with her life. Witness protection? Hmm perhaps... Although I think she's done enough dodgy stuff to warrant a prison stretch. Will she be instrumental in revealing who the fourth dot is? Well yeah actually, I think she grew up thinking Thurwell was her dad... and of course having connections to both Osborne and Buckells. Jo joined the force just before the turn of the millennium so would have been a copper when the Lawrence Christopher case occurred in 2003. Even though not directly working with them, I'm sure she knew what was going on and would have come across Osborne and Buckells at that time. I have a strong inkling that she knows exactly who she's been talking to and has been under their wing since the start. If she dies I will be gutted.

Kate

Where are we going with Kate? Well she's just killed Ryan (lawfully) and has gotten away with it. But Carmichael isn't thick... and nor is Steve and Ted. They all know but I think that'll be that for now. For ages I thought she was gonna D word but I think she's gonna be alright now. I hope that somehow she gets back into anti-corruption permanently because that's where she's best suited. I'm shocked that she hasn't had a glass box spectacular - my predictions for her to be accused of being bent and all that were way off the mark... and not a single mention of the two dying declarations... With only an hour tomorrow and so much to deal with, I guess that's not going to be mentioned. And Kate ain't gonna be sanctioned either. But, there's always opportunity with a series 7... She'll definitely be back in AC12, interviewing... I can't see all the BTS photos being Jed Herrings. But we'll see tomorrow!

Steve

Poor Steve eh? He's not had an easy time of it. Addicted to painkillers as I rightfully predicted, unable to trust his gaffer, torn on a transfer and a up and down friendship with his 'mate'. Oh and the car, actually let's not talk about the Mazda... Anyhow I believe that Steve will talk about his back and recent struggles with meds after a lot of emails from occupational health. Will he get pulled off the job at the last second because he didn't book an appointment... yeah I think that might happen and Kate takes his place or something. But there is a counsellor or something credited so I'm pretty certain on that. Will he lose his long overdue promotion? It's possible! I don't think the test was going to come back as a fail but more of a cause for concern - just that the levels of codeine etc in his system was higher than it should and it would be best advised to talk to someone. We haven't seen much pill taking going on since the drugs test so has Steve been going cold turkey? Or have they just veered away from that part of the story? In all fairness he's appeared fine with his back since the Windermere convoy - he ran across an industrial estate... I mean. I hope Steve gets a glimmer of hope and happiness because he rightfully deserves it. Ever since the start he's had his fair sharing of aggro and he deserves a break. I do think however he may be partly responsible for nailing the final nails into Ted's coffin - especially after he discovered the 50K up Merseyside and the truth from Lee Banks. I think he could be potentially happy with Steph, it would be nice for something to happen with them but we'll see. Steve needs a big hug.

Ted

This is going to pain me saying it. But, I don't think Ted is going to make it to the end. His retirement is inevitable. I can see the argument of the retirement being rescinded if they unmask the fourth dot etc and solve stuff but realistically, he's past retirement age. He's so focused on getting to the end of this marathon that I don't think he will see it through and know who it is - because he'll... yeah I don't need to say it. How? I've been saying his heart is gonna pack in. He's going to be in deep trouble over that 50k because Steve and Kate know the truth. But why would the likes of Carmichael find out... Well we've seen a clue of 'definate' on some paperwork - I reckon Ted by coincidence also makes this spelling mistake often as it is one of the most commonly misspelt words and therefore will be in the 'H' running again - he wont be 'H' as I reckon Osborne makes the same mistake... He alleges he misspelt it cos he studied the texts carefully but I think he spelt it how he usually would. They'll all go down the wrong path and accuse him which will lead to his ultimate downfall. Another little teaser is Steve appearing to listen to Ted's 2019 glass box spectacular however notably Carmichael says AC12 interview and not AC3... so mixing two different interviews to tease us? Maybe Ted might feel he has no choice but to sacrifice his career for the truth. However it all gets too much. Lies cost lives... I can't see Ted going on from beyond here and Ted was always supposed to be a minor character until he was very well received by the audience and he was made a main character. Realistically, his story is told and he's at his endgame. I hope he survives, by god I do... He's one of the most loved fictional characters at present. But I have a really bad feeling and I'm worried! It seems a total Jed thing to do for Ted to meet his end without ever finding the truth... seeing that's what his heart has been set on for about four years... I'm sorry to even be going there but it's what I think will happen. And I want to be wrong.

Miscellaneous Predictions

I want to round this all off with other little points. Carmichael won't be bent, maybe still involved with anti-corruption, you love to hate her, there's so much more they could do with her character. I don't think Steph's dodgy at all, she's just a widow whose been helped out by Ted in an unlawful way. I think her and Steve would be well suited. I hope Chloe will get to the end and continue on in anti-corruption, she's got a lot of potential. If Osborne isn't sussed, I reckon he'll still be CC. DCC Wise isn't bent either, just getting on with her job. But if Osborne does get caught and I'm wrong, there will be a lot of chaos for both him and Wise. Farida gets out of jail and starts afresh. Buckells I reckon will get out but won't be apart of the police force anymore. Lomax isn't bent, just a regular cop trying to get the work done. The rest of Jackie's remains will be found under the workshop floor, maybe with someone else? God knows who. Or maybe with some evidence that helps lead AC12 on the right track. Steve will still be an officer and Kate will be back where she belongs. There's probably more but my head hurts.

Will there be a series 7?

Yes.

Thank you all for reading my jumbled thoughts all packed into a text post. I'm nervous but excited for tomorrow night's finale. Let's see if I get anything right... probably not...

Monthly Wrap Up: September

Looking back, September wasn't a great month. Granted I did read 9 books and 3 of those books were over 500 pages, but most of these books I didn't enjoy. There were a couple highlights and two of the books that I did read were non fiction, both I thought were fairly good. I will also say real quick that I tried to start the last book in the Gemma Doyle trilogy, but I gave up on it because it was the exact same story I had to endure in the second book and I wasn't going to deal with 800 pages of that.

The Defiant Heir by Melisa Caruso: This is the second book in the Swords an Fire trilogy, and I thought it was even better than the first, and I gave the first one 5 stars. First it does build off of what was established in the previous book, with the worlds and the characters. The main conflict is Amalia trying to prevent an internal war while also trying to solve what happened to the missing Falcons. This series is exactly what I want to read, with an amazing intellectual character who knows how to use her smarts to achieve her goals and is someone who tries to do right thing. The relationships are all astounding, female friendships in particular, and I like that Amalia's mother is an active presence who cares about her daughter but lets her do her own thing. The romance is great too, despite the fact that there is a love triangle. The villain is despicably evil, but he's not mustache twirling and while he did have a sad past, that fact isn't even remotely treated as an excuse for his horrible actions. The plot keeps me invested and keeps adding new twists that add to the story. The world is fantastic, with each location feeling well developed and distinct from each other. Seriously the only complaint I have about this series is that it isn't longer. The Defiant Heir received 5 out 5 stars.

Bitterblue by Kristen Cashore: This book was such a disappointment. When I first read the Graceling trilogy, I hated the other two books, and I think that clouded my judgement and made me rate Bitterblue much higher. I do ultimately think Bitterblue is the best book in the series, but after rereading it I realize that it's not nearly as good as I originally thought it was. It's going to be hard to do this review without giving away spoilers, but I'll try. A brief synopsis is that Queen Bitterblue is working to help her kingdom recover and there are those that are trying to stop her. So Bitterblue makes an effort to be a good ruler and do the right thing in difficult situations. She's also book smart, which I usually like that type of character, but she did some really stupid things and was also quite bratty at times. There are two potential love interests, and I didn't really like either of them. One was just brooding, which I never like in a love interest, the other one was a bit boring. The weakest aspect of this book is definitely the plot. There's a sub plot about rebellion in the other kingdoms, but it was pretty irrelevant to the overall plot, and I just wasn't interested in any of the characters involved. This is the part where it's impossible to talk about the book with out spoilers, but I will say this. The struggle's that the kingdom is facing were well written and did a good job of exploring various themes of ruling and recovery. However, the big plot twist at the end that helps resolve their issues is so unrealistic that it causes the entire story to just collapse. The best aspects of this book were some of the themes explored and the art work because there are some beautiful interior designs. I would still say this book is the best out of the three, but looking back it isn't nearly as good as I remember it (although I do in part blame the reading slump I was in after finishing Defiant Heir, but only partly). Bitterblue received 2 out 5 stars and was my pick for the PopSugar promt “book with your favorite color in the title”.

Red Sister by Mark Lawrence: I went into this book with high expectations, and while it did live up to a few, it also disappointed me. The basic summary is this girl gets taken in by a convent of assassin nuns, where she spends her years training. Sounds like a pretty cool synopsis, but every time I hope a book is going to be similar to Harry Potter, with the schooling, it never lives up to that expectation. First I liked the protagonist, Nona. It was nice to have a female character who was a badass fighter, but she wasn't cold. She cares deeply about her friends and friendship and protecting those she cares about are important to her. That's not a type of character I see often. With that established, I do think some of the friendships were well done, like Hessa's, Arabella's and Clera's, because of how much they differ but at the same time feeling like it wasn't forced. Some of the nuns were interesting, but they didn't quite feel fully fleshed out, and one nun I hated because of how mean she was and I'm sick of seeing that kind of adult in fiction. The world building was so weird, and I honestly didn't like it because it felt very underdeveloped and made little sense. The story is Nona's story, but there times when I felt like it didn't focus on her and those were usually my least favorite parts because I was just invested in Nona, not in anything that was happening in the outside world or with any other character. Because of that there were some parts I honestly just skimmed through. I mentioned the Harry Potter thing, and what I meant by that is Nona has classes that she needs to take, and while they are mentioned, I didn't get much of sense of her learning. It was more like she suddenly had these skills, which I blame on both the lack of detail on what she did learn, and the poor pacing of this story, with those parts just being rushed through at a rate I couldn't even discern. So while I liked parts of the story, I definitely didn't love it was much as I thought I would and I'm not sure if I'm going to continue with rest of the series. Red Sister received 3 out 5 stars from me.  

The Silk Roads: A New  History of World by Peter Frankopan: I was originally going to be reading this book over the entire year, but I decided to just finish it up as some as possible. I didn't tag this book and I won't be doing a full review of it because it is historical nonfiction. Now the premise of the book intrigued me, exploring world history through the Silk Road, and I also though the cover was pretty. The first half of the book really intrigued because I like learning about ancient history, and it was very detailed and I was fascinated by what I was learning. My impression, however, had been that this book would primarily focus on ancient times, but this was not the case. I could have done with history that was all pre-1700s, but the last third of the book focused on history from the 1800s to modern times, and while I tried to pay attention because there was a lot that was relevant to today's world, I just couldn't focus as much as I had in the previous sections. That's not to say it wasn't as well written or well researched as the previous parts, I just wasn't interested anymore. So this book received 3.5 out 5 stars,  but that's only because it's a case of “it's not you, it's me,” and I would highly recommend this book to anyone that loves history.  

You Are A Badass by Jen Sincero: This was the other nonfiction I read this month, and this was just a real quick self help book. I do think overall it did a good job at identifying ways to improve but I do admit I started skimming through the extra text just to get to the bullet points. So helpful but maybe not presented in the most efficient way. You Are A Badass received 3 out 5 stars.

The Library at Mount Char by Scott Hawkins: Oh man, I was looking forward to this book, but it epicly failed. I read a sample of it and was really intrigued. It felt very mysterious, I didn't know exactly what was going on and I got the distinct impression that these characters weren't entirely human. Then I read the rest of the book and I didn't connect with any of the characters, I found the writing style to be increasing irritating, the story made no sense to me because I didn't understand what was happening and I didn't understand the sense of urgency, and I got increasingly sexist vibes from the story. All I can make sense of is that “Father” was gone missing from the Library and there's a lot of death and resurrection. I can't do a full review of this story because I DNFed it 50% through, I just couldn't take it anymore. I initially chose this one as my pick for the PopSugar promt “book set in a library”  and needless to say this book received 1 out 5 stars because I couldn't even force myself to finish it.  

Circle of Magic: Sandry's Book by Tamora Pierce: I hoped that I would enjoy this one. I've been looking forward to reading it for awhile. But lately I've really been struggling with YA, and even for a YA book I found this one to be bad. First, there's no plot. Literaly two major events happen in the book and that's it everything else was filler. What I remember of almost all my favorite reads as a child (with the exception being East) is that they got into the action and the plot fast, so I can definitely say that even as child I wouldn't have liked this book. I thought all the characters were pretty flat. I wasn't expecting to get everyone's perspective, I thought there would just be Sandry's perspective, since the book is literally called “Sandy's Book,” and I don't think adding in the extra perspectives helped the story in any way. I also got the impression that the children were acting overly immature but also the audience was expected to be immature. There was one scene where three of the character don't know what the word “kid” means, and it really irritated me. I won't be doing a full review for this one too, because I did tag it, but I didn't take any notes because of how overly simple this story was. I have the next 3 books and maybe they'll get better, but I'm in no rush. Sandry's Book received 1.5 out 5 stars.  

The Star Touched Queen by Roshani Chokshi: So I mentioned in the previous entry that I have been struggling with YA, particularly YA fantasy. This book, thank goodness, is a very pleasant exception to that. I really liked reading this book the first time through, and second read through, while there were a few things I disliked, I actually enjoyed the story even more. It's always pitched as Hades/ Persphone with Indian folklore, and both parts are so well done. I loved the romance, I loved the story, I loved the characters (most of them). The writing style is gorgeous, it's so flowery and atmospheric. I could see the vivid colors, I could taste the jewel fruit. I love Chokshi's books, and I cannot wait to get to her short stories that are set in the same world. Star Touched Queen received 5 out 5 stars.  

Sabriel by Garth Nix: And so we return to the YA slump. I shouldn't be too hard on this book though. There were some very interesting aspects of it, and the first half of the book was good. Sabriel was competent character who was trained to deal with death, and Mogget was this eerie figure that I kind of liked but was also kid of afraid of. I loved the focus on death, and how death is it's own world. The magic system was really cool to, with different marks and the bells. I thought the pacing of the first half was decent too, fast but not rushed. Things took a turn, however, when the love interest was introduced. It was so obvious this guy was the love interest, and the relationship felt so forced and there was insta-love, which I hate. After Touchstone was introduced, the pacing was so much more rushed, there was a lot of telling instead of showing, and there was also quite a bit Deus Ex Machina. Things really fell apart in the second half, and it turns out this was because the first book was going to be treated more as a prequel instead of a first book. Sabriel received 3 out 5 stars.

Fun with Java Deserialization

Down the Rabbit Hole

I’ve just been scrambling down the rabbit hole to patch an app that Qualys is complaining has a deserialization vulnerability. What should have been a simple effort has turned into a mystery because, while we appear to have the correct libraries already in place, Qualys is still complaining about the error. A report that should be clean, to indicate compliance with GDPR, is instead “yellow”, or “orange”, or “red”, so fingers point, tempers flare, e-mails fly about, cc’ing higher and higher ups, so now we have assumptions, and based on those assumptions, tersely written orders, involvement by 3rd party vendors. Time to panic? Shall we be careful and tip-toe through the eggs?[0]

Well, it turns out to be a rather interesting mystery.

What is Java serialization?

First, some definitions are in order. What is Java serialization and why is it important? Perhaps Wikipedia[1] defines it the simplest:

A method for transferring data through the wires

Java serialization is a mechanism to store an object in a non-object form, i.e. a flat, serial stream rather than an object, so that it can be easily sent somewhere, such as to a filesystem, for example. It is also known as “marshaling”, “pickling”, “freezing” or “flattening”. Java programmers should be familiar with the concept, and with the Serializable interface, since it is required in various situations. For example, this technique is used for Oracle Coherence’s “Portable Object Format” to improve performance and support language independence.

Early Days of Java Serialization

Amazing to think that, back in the day, we used all the various tools required for distributed communication, whether simple like RMI and JMX, or more involved specs like CORBA and EJB, and we never thought much about the security aspects. I’m sure if I peruse my copy Henning and Vinoski’s definitive work on C++ and CORBA, I’ll find a chapter or so focusing on security[1], but I’m figuring, we, like everyone else, focused on the business details, getting the apps to communicate reliably, adding features, improving stability, etc, and not on whether there were any security holes, such as tricking a server into running cryptocurrency mining malware[2]. Yes, Bitcoin and the like did not even exist then.

The Biggest Wave of Remote Execution Bugs in History

Well, times change, and the twenty-year-old Java deserialization capability is the source of “nearly half of the vulnerabilities that have been patched in the JDK in the last 2 years” [3], so Oracle has plans in the works to completely revamp object serialization. Further note that this is not solely Oracle’s issue, nor is it limited to Java. Many other software vendors, and open source projects, whether tools or languages, have this weakness, such as Apache Commons Collections, Google Guava, Groovy, Jackson, and Spring.

It seems all the excitement, at least in the Java world, started when Chris Frohoff and Garbriel Lawrence presented their research on Java serialization “ultimately resulting in what can be readily described as the biggest wave of remote code execution bugs in Java history.” [6] However, it is important to note that this flaw is not limited to Java. While Frohoff and Lawrence focused on Java deserialization, Moritz Bechler wrote a paper that focuses on various Java open-source marshalling libraries:

Research into that matter indicated that these vulnerabilities are not exclusive to mechanisms as expressive as Java serialization or XStream, but some could possibly be applied to other mechanisms as well.

I think Moritz describes the heart of the issue the best:

Giving an attacker the opportunity to specify an arbitrary type to unmarshal into enables him to invoke a certain set of methods on an object of that type. Clearly the expectation is that these will be well-behaved – what could possibly go wrong?

Java deserialization

For our purposes, we focused on Java serialization and Apache Commons Collections. From the bug report COLLECTIONS-580[4]:

With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection.

If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, …) you can combine the two to create arbitrary remote code execution vulnerability.

The Qualys report didn’t have much in the way of details, other than a port and the commons-collections payloads that illustrated the vulnerability, but I guessed from that info that the scanner simply uses the work done by the original folks (Frohoff and Lawrence) [5] that discovered the flaw available as the ysoserial project below.

https://www.youtube.com/watch?v=KSA7vUkXGSg

Source code here: https://github.com/frohoff/ysoserial

Now, in the flurry of trying to fix this error, given the annoyingly vague details from Qualys, I had looked at all sorts of issues, after noticing a few extra JVM arguments in the Tomcat configuration that happened to be set for the instances that were failing with this error, but were not set on other instances. Apparently someone had decided to add these, without informing our team. Interesting.

Now, remember that according to the original bug report, this exploit requires (1) untrusted deserialization, it (2) some way to send a payload, i.e. something listening on a port, such as a JMX service. In fact, These extra JVM args were for supporting remote access via JMX, so unraveling the thread, I researched Tomcat 8 vulnerabilities especially related to JMX. While it turns out that JMX is a weak point (JBoss in particular had quite a well-known major JMX flaw), I did have any luck convincing the customer that they should shut down the port. It is used to gather monitoring metrics useful in determining application performance such as CPU load, memory, and even cache information. Ok, easy but drastic solutions were off the table. I was back to the drawing board.

Next, I tried to see why it was flagging Apache collections in the first place. Going back to the ysoserial project, was it incorrectly flagging Apache Commons Collections 3.2.2, or Collections4-4.1, despite the fact that the libs were fixed? Further looking at the specific payloads, Qualys/Ysoserial was complaining about Collections 3.2.1, which limited the test scenarios to try to get working

Now here’s the interesting part: with ysoserial, I was unable to get the exploit to work, as depicted in the Marshalling Pickles video. It was failing with a strange error I hadn’t seen before, something about filter setting a “rejected” status. Now, this led me to finding info about Oracle’s critical patch update (_121). I was running with latest & greatest JDK, release _192, however our production servers were running a very out-of-date version - surprise surprise.

Apparently, with Oracle JDK at release 121 or later, Oracle has started to address this vulnerability in an official way, rather than what exists currently which is a bunch of ad-hoc solutions, mainly whitelisting/blacklisting, which is a difficult without library support. Some would call this ‘whack-a-mole’, but I think this illustrates quite well the idea of a “patch”, i.e. there’s a leak, so run over and put some tape over it, but we aren’t solving the fundamental issue. In other words, the current defense against this attach is limited because we can’t possibly know what libraries customers will use, so the library maintainer has to scramble to plug the holes whenever they are discovered. Note that even the best of libraries like Groovy, Apache and Spring have had to fix this flaw.

So kudos to Oracle for taking some much needed steps in solving this problem. Here’s a little detail on the new feature that works to make the deserialization process more secure:

The core mechanism of deserialization filtering is based on an ObjectInputFilter interface which provides a configuration capability so that incoming data streams can be validated during the deserialization process. The status check on the incoming stream is determined by Status.ALLOWED, Status.REJECTED, or Status.UNDECIDED arguments of an enum type within ObjectInputFilter interface.

https://access.redhat.com/blogs/766093/posts/3135411

While it is the “official” way to deal with the deserialization issue, it remains to be seen how well this strategy will work. As a further research project, I’m curious whether this model might be used beyond Java serialization, i.e. in projects like Jackson. Does it add anything more than Jackson already has, or does it simplify it, etc.

This feature is targeted for Java 9, but was backported to 8, though it looks like it doesn’t have all the functionality that Java 9 supports.

So you are probably wondering what happened? Did we fix all of the above, and even throw in an upgrade Tomcat, like the Monty Python “Meaning of Life” movie “everything, with a cherry on top!” Well, finally, given a little guidance on where to look, the 3rd party developers - turned out that not only had they added the JVM args, they had also added in some extra code to handle the authentication. Which used - you guessed it - the _old_ 3.2.1 version of commons-collections. This code was also manually maintained, so while the app our team maintained received the updated commons jar in an automated fashion along with all the other updates, this little bit of code, tucked away on the server, was never updated.

Lessons learned? Off-the-wall custom authentication? Don’t do this. But if you do, don’t leave manually updated chunks of code lying around, and further, keep up with the patches!

[0] Yes, I’m reading William Finnegan’s “Barbarian Days: The Surfing Life”, Finnegan’s hilarious and fascinating account of being a surfer in the early days of the sport. At one point, he complains to his friend and fellow surfer, who is getting on his nerves, that he is tired of walking on eggs around him. Of course, in his anger, he mixed up the quote, and meant “walking on eggshells”.

[1] https://en.wikipedia.org/wiki/Serialization

[2] A quick look at the omniORB doc shows it has a feature called the “Dynamic Invocation Interface…Thus using the DII applications may invoke operations on any CORBA object, possibly determining the object’s interface dynamically by using an Interface Repository.” Sounds like reflection doesn’t it? I’m not aware of any specific vulnerabilities, but it does seem we’ve traded a bit of the security that invoking statically-compiled objects brings for convenience.

https://www.cl.cam.ac.uk/research/dtg/attarchive/omniORB/doc/3.0/omniORB/omniORB011.html

[3] https://www.siliconrepublic.com/enterprise/cryptocurrency-malware-monero-secureworks

The Java Object Serialization Specification for Java references a good set of guidelines on how to mitigate the vulnerability:

https://www.oracle.com/technetwork/java/seccodeguide-139067.html#8

[4] https://www.securityinfowatch.com/cybersecurity/information-security/article/12420169/oracle-plans-to-end-java-serialization-but-thats-not-the-end-of-the-story

[5] https://issues.apache.org/jira/browse/COLLECTIONS-580

[6]Which seems to be a pretty standard strategy these days, i.e. proprietary companies like Qualys leveraging open source and adding it to their toolset. AWS does this to great effect, and we, as the consumer, benefit by getting simple interfaces. However, we should not forget that much of the code we use today is Open-source software, in some way or another.

Stratechery, as usual, has a very thoughtful post about this very idea:

It’s hard to not be sympathetic to MongoDB Inc. and Redis Labs: both spent a lot of money and effort building their products, and now Amazon is making money off of them. But that’s the thing: Amazon isn’t making money by selling software, they are making money by providing a service that enterprises value, and both MongoDB and Redis are popular in large part because they were open source to begin with.

[snip]

That, though, should give pause to AWS, Microsoft, and Google. It is hard to imagine them ever paying for open source software, but at the same time, writing (public-facing) software isn’t necessarily the core competency of their cloud businesses. They too have benefited from open-source companies: they provide the means by which their performance, scalability, and availability are realized. Right now everyone is winning: simply following economic realities could, in the long run, mean everyone is worse off.

https://stratechery.com/2019/aws-mongodb-and-the-economic-realities-of-open-source/

[7] https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

[8] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062