Safeguard
Tag

java-security

Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.

79 articles

Application Security

Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization

One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.

Jul 16, 20265 min read
Application Security

Comparing open-source tools for secure Java code review

SpotBugs checks 400+ bug patterns, Find Security Bugs adds 144 more, and CodeQL needs a full build — no single free Java scanner covers everything.

Jul 16, 20266 min read
Application Security

Detecting and preventing Zip Slip and path traversal in Java

Snyk's 2018 Zip Slip disclosure hit Amazon, Apache, and LinkedIn projects at once — here's how the flaw still hides in Java archive code today, and how to catch it.

Jul 14, 20265 min read
Open Source Security

The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection

Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.

Jul 14, 20266 min read
Vulnerability Management

Text4Shell deep dive: how CVE-2022-42889 turned string formatting into RCE

CVSS 9.8. Apache Commons Text 1.5–1.9 ran attacker strings through a script interpolator by default — here's the root cause and the fix.

Jul 12, 20266 min read
Vulnerability Management

CVE-2022-33980: Interpolation-Based RCE in Apache Commons Configuration

A CVSS 9.8 flaw in Apache Commons Configuration 2.4–2.7 let default interpolators run script-engine expressions from untrusted config strings.

Jul 11, 20267 min read
Application Security

Bytecode vs. source analysis: static analysis techniques for Java and Kotlin

SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.

Jul 8, 20265 min read
Best Practices

Getting AES right in Java: JCA/JCE mistakes that break your encryption

Call `Cipher.getInstance("AES")` in Java and you silently get ECB mode — no warning, no error, just plaintext patterns leaking through.

Jul 8, 20267 min read
Vulnerability Management

Log4Shell and Spring4Shell, years later: why the same bug keeps coming back

CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.

Jul 8, 20266 min read
Vulnerability Management

CVE-2022-1471: Inside the SnakeYaml Deserialization RCE

CVE-2022-1471 scored 9.8 CRITICAL under NIST's CVSS calculation — a single YAML tag could hand attackers remote code execution in any Java app parsing untrusted input.

Jul 8, 20265 min read
Application Security

Apache Struts and the recurring pattern of path-traversal and RCE bugs

Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.

Jul 7, 20266 min read
Vulnerability Analysis

Fastjson AutoType Bypass RCE (CVE-2022-25845) Explained

CVE-2022-25845 defeated Fastjson's autoType protection and reopened a deserialization RCE path. Here's how the bypass worked and how to lock the library down.

Jul 4, 20265 min read
java-security — Safeguard Blog