Clarification for adding classes shipped with JDK to sun.rmi.registry.registryFilter property in java.security file

Roger Riggs Roger.Riggs at Oracle.com
Fri Jan 19 15:14:25 UTC 2018 

Hi Vipin,

A couple of suggestions to make working with serialization filters easier.

JEP 290 enabled logging of filtering actions by setting 
java.io.serialization.level =  FINEST.
Add that to the logging.properties and supply it on the command line with
"-Djava.util.logging.config.file=logging.properties".
If set to FINEST, it will log every call to the filter with the 
arguments of class, array size, etc.
If set to FINE, it will log only the cases where the filter rejects 
based on its arguments.

The pattern based filters can allow or disallow entire packages.
For example, "java.net.**" will allow any class in any package with a 
"java.net." prefix.

For development purposes, serialized classes for the registry could be 
identified using a filter of "*"
with logging enabled as FINEST and examining the log.

Expanding the white list for the registry is a possibility with a very 
conservative
evaluation of specific cases.

Regards, Roger

[1] http://openjdk.java.net/jeps/290


On 1/16/2018 7:21 AM, Vipin Mv1 wrote:
>
> Hi,
>
> After upgrading to oracle 8u121-b12, I get following Exception when running
> the following testcase.
>
> import java.io.*;
> import java.net.InetAddress;
> import java.rmi.*;
> import java.rmi.registry.*;
> import java.security.Security;
>
> /* @test
>   * @run main/othervm RegistryFilterTest
>   */
>
> public class RegistryFilterTest {
>
>          private static int port = 12345;
>          private static Registry registry;
>
>          static class RemoteObj implements Serializable, Remote {
>                  private static final long serialVersionUID = 01L;
>
>                  final Object obj;
>
>                  RemoteObj(Object obj) {
>                          this.obj = obj;
>                  }
>
>
>          }
>
>
>          public static void main(String[] args) throws Exception{
>
>              InetAddress in = InetAddress.getLocalHost();
>              LocateRegistry.createRegistry(port);
>              Registry registry = LocateRegistry.getRegistry("localhost",
> port);
>              registry.bind("InetAddress", new RemoteObj(in));
>              registry.unbind("InetAddress");
>              System.out.println("RMI Registry Test Passed");
>
>          }
>
> }
>
> TestResults
> -----------------------
> Jan 12, 2018 5:32:18 PM java.io.ObjectInputStream filterCheck
> INFO: ObjectInputFilter REJECTED: class java.net.InetAddress, array length:
> -1, nRefs: 5, depth: 2, bytes: 216, ex: n/a
> Caused by: java.io.InvalidClassException: filter status: REJECTED
>      at java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1406)
>      at java.io.ObjectInputStream.readNonProxyDesc
> (ObjectInputStream.java:1997)
>      at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1877)
>      at java.io.ObjectInputStream.readOrdinaryObject
> (ObjectInputStream.java:2170)
>      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1698)
>      at java.io.ObjectInputStream.defaultReadFields
> (ObjectInputStream.java:2415)
>      at java.io.ObjectInputStream.readSerialData
> (ObjectInputStream.java:2339)
>      at java.io.ObjectInputStream.readOrdinaryObject
> (ObjectInputStream.java:2197)
>      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1698)
>      at java.io.ObjectInputStream.readObjectImpl(ObjectInputStream.java:540)
>      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:475)
>      ... 16 more
>
> I understand it is due to the new serialization Filtering mechanism
> introduced to RMI Registry and Distributed Garbage Collection as a part of
> the following fixes.
>
> JDK-8160108 Implement Serialization Filtering
> JDK-8156804: Better constraint checking(not public)
>
> As a result, a new default white list has been introduced for RMIRegistry
> which allows deserialization only to limited set of classes by default.
> Which are
>
> String.class
> java.lang.Number.class
> java.rmi.Remote.class
> java.lang.reflect.Proxy.class
> sun.rmi.server.UnicastRef.class
> java.rmi.server.RMIClientSocketFactory.class
> java.rmi.server.RMIServerSocketFactory.class
> java.rmi.activation.ActivationID.class
> java.rmi.server.UID.class
> and their subclasses.
>
> It also enabled provisions to increase the default white list by
>
> 1. updating property "sun.rmi.registry.registryFilter" in java.security
> file
> 2. adding -Dsun.rmi.registry.registryFilter in java command line
>
> Though the current solution is straight forward, it is difficult from an
> application point of view to identify such classes without running the
> application multiple times to come up with comprehensive list to be
> allowed. This would be a overhead to the developer and should be avoided at
> least for classes shipped with JDK (for example, java.net.InetAddress as
> used in testcase).
>
> I assume that default list is very limited to reduce the chances of getting
> exploited by serialization vulnerability. I think, we can spare public
> packages shipped with JDK by adding them to
> "sun.rmi.registry.registryFilter" in java.security file out of the box.
>
> Please let me know your views.
>
> Thanks & Regards,
> Vipin MV

More information about the core-libs-dev mailing list