The Java team is planning to remove the Java Serialization feature from core Java language. This is owing to some security issues with the object serialization API.
What is Java’s Object Serialization feature?
The Serialization API converts the message in a data communication system into a sequence of bytes which can be processed further. The sequence of bytes is made into an object and written in a Java file. This file can be read and deserialized to recreate the message in the memory.
Why is Oracle calling it a mistake?
Approximately one-third of all the vulnerabilities in the Java systems have serialization involved.
Mark Reinhold, chief Architect from Oracle mentioned that Oracle has been receiving reports that revealed the security weakness in Java Serialization. They have found a lot of applications servers receive serialization data streams on unprotected ports of a server. The attackers can use the easy use case of the serialized object and deserialize to recreate the object.
Adding to the overhaul, Reinhold called the serialization feature as a “horrible mistake” made in 1997.
To counteract these vulnerabilities, Oracle has added a filtering capability in Java to provide a defense mechanism for the network using serialization and receiving untrusted data streams.
Oracle also mentioned their plans to remove serialization from Java as a long-term plan under Project Amber, focussed on streamlining the release cycle of Java and to enhance the productivity of the Java language in the Java 11 release.
To continue to support the serialization in Java language, Oracle is planning to add a Serialization feature that will enable object serialization in a safe way. The framework will also be developed to support graphs, that supports JSON or XML to provide serialization of any record.