CWE-594: J2EE Framework: Saving Unserializable Objects to Disk
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.
扩展描述
In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk when required. While these application frameworks do the real work of writing objects to disk, they do not enforce that those objects be serializable, thus leaving the web application vulnerable to crashes induced by serialization failure. An attacker may be able to mount a denial of service attack by sending enough requests to the server to force the web application to save objects to disk.
常见后果
影响范围: Integrity
技术影响: Modify Application Data
说明: Data represented by unserializable objects can be corrupted.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: Non-serializability of objects can lead to system crash.
潜在缓解措施
阶段: Architecture and Design Implementation
描述: All objects that become part of session and application scope must implement the java.io.Serializable interface to ensure serializability of containing objects.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| Software Fault Patterns | SFP1 | Glitch in computation | - |