Recent research by Chris Frohoff and Gabriel Lawrence has exposed gadget chains in various libraries that allow code to be executed during object deserialization in Java. They've done some excellent research, including publishing some code that allows anyone to serialize a malicious payload that when deserialized runs the operating system command of their choice, as the user which started the Java Virtual Machine (JVM). The vulnerabilities are not with the gadget chains themselves but with the code that deserializes them.

There are couple of ways in which this type of attack on the JVM can be mitigated:

• not deserializing untrusted objects;
• not having the classes used in the 'gadget chain' in the classpath;
• running the JVM as a non-root operating system user, with reduced privileges;
• egress filtering not allowing any outbound traffic other than that matching a connection for which the firewall already has an existing state table entry.

In this talk we'll explore each of these in detail, using JBoss EAP as a example of how these mitigations can be introduced.