[ERPSCAN-17-006] Oracle OpenJDK – Java Serialization DoS vulnerability

Application: Oracle OpenJDK
Vendor: Oracle
Bug: DoS
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 17.01.2017
Reference: Oracle CPU Jan 2017
Authors: Roman Shalymov


Class: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: Yes

CVSS Information

CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) High (H)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed(C)
C: Impact to Confidentiality High(H)
I: Impact to Integrity High (H)
A: Impact to Availability High (H)


An attacker can cause DoS of the application which uses OpenJDK Runtime Environment 1.8 as its core runtime engine.


OpenJDK Runtime Environment build 1.8.0_112-b15


Fix ObjectInputStream.skipCustomData() method, namely readObject0(false); call in switch statement.


An attacker can craft a malicious sequence of bytes that will cause JVM StackOverflowError in the standard Java deserialization process if it uses ObjectInputStream.readObject() method.

Proof of Concept

An attacker creates malicious sequence of bytes, for example, using this python script pwn_ser.py:

and save it in exp2.ser file

Let’s simulate deserialization process. For this purpose, we create a simple Java program, which uses the following standard deserialization pattern:

Let’s try to read our malicious file (we can also simulate this stuff over network communication):

It causes the following error dump: