A Graphical Representation of RCE Vulnerabilities in Java Deserialization

Sammanfattning: Unsafe deserialization in Java risks exposing systems to remote code execution (RCE) attacks. By combining certain versions of the Java Virtual Machine (JVM) with common third-party libraries, deserialization vulnerabilities can be introduced in otherwise safe systems. Because of the large number of possible combinations, developers and analysts cannot easily determine whether any given versions of software are safe to use. To facilitate this, this project makes use of the deserialization vulnerability detection tool ysoserial, and automates its testing on just over half a million combinations of different JVMs and versions of libraries. These results are then presented in a graphical format and made accessible online for future referencing.