Software AG Products 10.5 | Administering Integration Server | Whitelist Filtering in Integration Server | About Whitelist Filtering in Integration Server
 
About Whitelist Filtering in Integration Server
Integration Server uses a whitelist filter to prevent the deserialization of unsafe Java objects.The Java deserialization vulnerability exists for applications that accept serialized objects but do not validate or check untrusted input before deserializing it properly. This gives attackers an opening to insert a malicious object into a data stream which could lead to remote code execution, denial of service, and many more.
In Integration Server the IDataBinCoder protocol used for the transmission of IData supports serialized Java objects. This feature could be exploited by configuring Integration Server to load third party libraries that can be used to construct a malicious serialized payload, which, in turn, can lead to arbitrary code execution and other serious security issues. If not addressed, this vulnerability can be exploited and damage the production environment.
To prevent Integration Server from deserializing untrusted Java objects, Integration Server includes a whitelist of classes that can be loaded and deserialized in Integration Server. When whitelist filtering is enabled, Integration Server deserializes a Java object only if the class appears in the whitelist. If Integration Server encounters a Java object whose class does not exist in the whitelist, Integration Server throws a ClassNotFoundException.
Integration Server includes a whitelist classes file for the server. You can also build a whitelist classes file for an individual package which can be used to identify custom classes used by the package.