The non-programmer’s explanation to the Java deserialisation bug

In the last year we’ve had several serious and well publicised software vulnerabilities like heartbleed and shellshock that set the whole tech press chattering and even made the national news. But not all vulnerabilities are as well marketed. One particular bug has been around for years, has been publicly known for over 9 months, but is only recently getting attention due to a report by Foxglove Security and a corresponding Slashdot article. As Foxglove say, “no one gave it a fancy name, there were no press releases” but “this bug is unlikely to go away soon”.

The report by Foxglove is a fascinating read if you’re a Java programmer, but it is very long and deeply technical. My goal is to explain what’s happening in enough detail that everyone else can understand how this bug got there, and why it’s not simple to get rid of. I do assume you are at least a little bit technical. You are reading an article about a software vulnerability after all.

Continue reading The non-programmer’s explanation to the Java deserialisation bug