Java JAR & Deserialization Security

Java applications ship as JAR, WAR, and EAR archives containing compiled bytecode. Deserialization vulnerabilities like Log4Shell (CVE-2021-44228) and Spring4Shell (CVE-2022-22965) demonstrated how a single vulnerable library in a fat JAR can compromise millions of deployments.

Verified by Precogs Threat Research
javajardeserializationlog4shellUpdated: 2026-03-22

Java Deserialization Attacks

Java Object Serialization allows arbitrary code execution when deserializing untrusted data. Gadget chains in common libraries (Apache Commons Collections, Spring, Jackson) transform deserialization into remote code execution. The ysoserial tool contains dozens of ready-to-use exploit payloads for popular Java libraries.

Log4Shell & Supply Chain Lessons

Log4Shell (CVE-2021-44228) was a perfect storm: Log4j was in virtually every Java application, the exploit was trivial (a single log message), and the JNDI lookup enabled remote code execution. It persists in production because fat JARs bundle Log4j at build time, and many organizations cannot identify which applications contain it.

Precogs AI Java Binary Analysis

Precogs AI unpacks JAR/WAR/EAR archives, analyzes compiled bytecode for deserialization sinks (ObjectInputStream.readObject), identifies vulnerable library versions through class signature matching (even in shaded/relocated packages), and detects JNDI injection vectors. We find Log4j in applications that traditional SCA misses due to shading.

Attack Scenario: The Spring4Shell Reflection Pivot

1

An attacker scans a company's public attack surface and finds a legacy Spring MVC application running on Tomcat (Java 9+).

2

The application exposes an endpoint that binds standard HTTP POST parameters to a POJO (Plain Old Java Object).

3

Due to a bypass in Spring's `CachedIntrospectionResults`, the attacker sends a parameter named `class.module.classLoader.resources.context.parent.pipeline.first.pattern`.

4

The backend Java reflection blindly walks this Object graph, allowing the attacker to alter the configuration of the Tomcat logging mechanism.

5

The attacker changes the log file extension to `.jsp` and the log contents to a raw Web Shell payload.

6

Result: Complete Remote Code Execution via framework-level reflection abuse without explicit deserialization.

Real-World Code Examples

Untrusted Object Serialization (CWE-502)

Java Object Serialization (`java.io.Serializable`) does not just parse data; it heavily utilizes reflection to instantiate arbitrary classes found on the application's Classpath (the "Gadget Chain"). If an attacker intercepts a serialized stream (like a JSESSIONID or RMI payload) and replaces it with an exploit payload from a known library (like Apache Commons Collections), the JVM executes arbitrary code during deserialization.

VULNERABLE PATTERN
// VULNERABLE: Blindly deserializing untrusted byte streams
import java.io.ObjectInputStream;

public void handleUserCookie(InputStream cookieStream) throws Exception {
    ObjectInputStream ois = new ObjectInputStream(cookieStream);
    
    // Attacker sends a crafted serialized payload (ysoserial)
    // Code execution happens DURING the readObject() phase,
    // LONG BEFORE the cast to UserData even occurs.
    UserData data = (UserData) ois.readObject(); 
    processUser(data);
}
SECURE FIX
// SAFE: Relying on Jackson/Gson object-mapping without typing flags
import com.fasterxml.jackson.databind.ObjectMapper;

public void handleUserCookie(String jsonCookie) throws Exception {
    ObjectMapper mapper = new ObjectMapper();
    // Ensuring DefaultTyping is strictly OFF (the default)
    // Jackson parses data primitives, not arbitrary Java classes
    UserData data = mapper.readValue(jsonCookie, UserData.class);
    processUser(data);
}

Detection & Prevention Checklist

  • Aggressively deprecate and remove `java.io.ObjectInputStream` from all enterprise services
  • Implement global Deserialization Filters (JEP 290) in the JVM args (`-Djdk.serialFilter`) to whitelist only necessary classes
  • Scan all proprietary Java Web Archives (`.war`) and Fat Jars (`.jar`) with SCA tools that expand shaded dependencies (to find hidden `log4j` or `commons-collections`)
  • Never enable polymorphic typing decorators (`@JsonTypeInfo`, `enableDefaultTyping()`) in generic Jackson ObjectMapper setups when handling external JSON
  • Monitor application server execution for unexpected bash/cmd child processes (often indicative of a successful RCE payload payload execution)
🛡️

How Precogs AI Protects You

Precogs AI analyzes compiled Java bytecode in JAR/WAR archives to detect deserialization gadget chains, JNDI injection (Log4Shell), shaded vulnerable libraries, and reflection abuse — finding risks that dependency scanners miss.

Start Free Scan

Related Weakness Types

CWE-502CWE-917CWE-611CWE-94CWE-74CWE-78CWE-918CWE-287CWE-200CWE-22

High Risk Industries

Financial Services SecurityGovernment & Defense Cybersecurity

Compliance Frameworks

PCI DSS 4.0SOX / GLBADORA (Digital Operational Resilience Act)SOC 2 / ISO 27001

How do you detect Java deserialization vulnerabilities?

Precogs AI unpacks JAR/WAR archives, analyzes bytecode for deserialization sinks, identifies vulnerable libraries even when shaded/relocated, and detects JNDI injection vectors like Log4Shell in compiled Java applications.

Scan for Java JAR & Deserialization Security Issues

Precogs AI automatically detects java jar & deserialization security vulnerabilities and generates AutoFix PRs.

Start Free Scan