{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/java/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["fabric-sdk-java"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","java"],"_cs_type":"advisory","_cs_vendors":["Hyperledger"],"content_html":"\u003cp\u003eThe \u003ccode\u003efabric-sdk-java\u003c/code\u003e client SDK, a deprecated component of Hyperledger Fabric, contains a critical vulnerability related to insecure deserialization. Specifically, the \u003ccode\u003eChannel.java\u003c/code\u003e file implements \u003ccode\u003ereadObject()\u003c/code\u003e and exposes \u003ccode\u003edeSerializeChannel()\u003c/code\u003e methods that call \u003ccode\u003eObjectInputStream.readObject()\u003c/code\u003e on untrusted byte arrays without configuring an \u003ccode\u003eObjectInputFilter\u003c/code\u003e. This omission allows an attacker to inject malicious serialized Java objects, leading to remote code execution (RCE). While \u003ccode\u003efabric-sdk-java\u003c/code\u003e has been deprecated since Hyperledger Fabric v2.5 and replaced by \u003ccode\u003eorg.hyperledger.fabric:fabric-gateway\u003c/code\u003e, organizations that have not yet migrated are still vulnerable. This issue highlights the risks associated with using deprecated software and the importance of migrating to supported versions. The vulnerability exists in versions 1.0.0 through 2.2.26.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious serialized Java object using a tool like \u003ccode\u003eysoserial\u003c/code\u003e. For example, \u003ccode\u003ejava -jar ysoserial.jar CommonsCollections6 \u0026quot;touch /tmp/pwned\u0026quot; \u0026gt; malicious_channel.ser\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to supply crafted serialized Channel bytes to the client application. This could involve compromising a local channel file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious serialized data through an application that accepts Channel bytes from external sources.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003edeSerializeChannel()\u003c/code\u003e method in \u003ccode\u003eChannel.java\u003c/code\u003e is called with the attacker-controlled byte array.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003edeSerializeChannel()\u003c/code\u003e, an \u003ccode\u003eObjectInputStream\u003c/code\u003e is created from the byte array.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereadObject()\u003c/code\u003e method of \u003ccode\u003eObjectInputStream\u003c/code\u003e is called without any \u003ccode\u003eObjectInputFilter\u003c/code\u003e, deserializing the malicious object.\u003c/li\u003e\n\u003cli\u003eThe deserialization process triggers the execution of a gadget chain embedded in the malicious object.\u003c/li\u003e\n\u003cli\u003eThe gadget chain executes arbitrary code on the server, achieving RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server running the vulnerable \u003ccode\u003efabric-sdk-java\u003c/code\u003e application. This can lead to complete system compromise, data breaches, and other malicious activities. The severity is critical due to the potential for unauthenticated remote code execution. Organizations still using the deprecated \u003ccode\u003efabric-sdk-java\u003c/code\u003e are at high risk until they migrate to the supported \u003ccode\u003efabric-gateway\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eMigrate to \u003ccode\u003eorg.hyperledger.fabric:fabric-gateway\u003c/code\u003e immediately\u003c/strong\u003e as the primary remediation, as it does not use Java serialization.\u003c/li\u003e\n\u003cli\u003eFor organizations unable to migrate immediately, apply the suggested fix of adding an \u003ccode\u003eObjectInputFilter\u003c/code\u003e to whitelist only expected classes as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring of Java deserialization to detect and prevent exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable logging of deserialization events to aid in incident response.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:41:58Z","date_published":"2026-04-29T20:41:58Z","id":"/briefs/2024-01-26-fabric-deserialization/","summary":"The deprecated fabric-sdk-java client SDK is vulnerable to Java deserialization RCE due to the use of ObjectInputStream.readObject() without an ObjectInputFilter in Channel.java, allowing remote code execution if an attacker can supply crafted serialized Channel bytes to the client application.","title":"Hyperledger Fabric SDK Java Deserialization RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-26-fabric-deserialization/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-34282"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-34282","java","graalvm","dos","denial-of-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-34282 is a critical vulnerability affecting the Networking component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The vulnerability, present in versions 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26 of Oracle Java SE, GraalVM for JDK versions 17.0.18 and 21.0.10, and GraalVM Enterprise Edition 21.3.17, allows an unauthenticated attacker with network access to trigger a complete denial-of-service (DoS) condition. This is achieved by sending specially crafted network requests to APIs within the affected Networking component, potentially through web services. Successful exploitation results in a hang or repeatable crash of the Java SE or GraalVM instance. The vulnerability is particularly concerning for Java deployments running sandboxed Java Web Start applications or applets that load and execute untrusted code from sources like the internet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Oracle Java SE or GraalVM instance accessible over the network. This could be a web server running a Java-based web application, or a client running a Java applet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network request specifically designed to exploit the Networking component vulnerability (CVE-2026-34282). The specific protocol is not defined, but the vulnerability description suggests multiple protocols could be leveraged.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious request to a network port exposed by the vulnerable Java application or service. This could be port 80 (HTTP), 443 (HTTPS), or a custom port used by the application.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Networking component processes the malicious request. Due to the flaw in the code, the request triggers an unhandled exception or resource exhaustion within the Java Virtual Machine (JVM).\u003c/li\u003e\n\u003cli\u003eThe JVM enters a hung state, becomes unresponsive, or crashes entirely. This could also lead to a repeatable crash loop.\u003c/li\u003e\n\u003cli\u003eLegitimate users of the application or service are unable to access it.\u003c/li\u003e\n\u003cli\u003eIf the vulnerable application is critical to business operations, this can lead to significant disruption and financial loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34282 leads to a complete denial-of-service condition. Affected Java SE and GraalVM instances become unresponsive or crash repeatedly, disrupting services and applications that rely on them. This vulnerability could impact various sectors, including finance, healthcare, and e-commerce, wherever Java-based applications are deployed. The potential number of victims is substantial, considering the widespread use of Java and GraalVM in enterprise environments. If exploited, it can cause significant downtime, data loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the patches provided by Oracle for CVE-2026-34282 to all affected Oracle Java SE and GraalVM installations.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious network requests targeting Java-based applications to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Java Network Activity\u003c/code\u003e to identify anomalous network behavior related to Java processes.\u003c/li\u003e\n\u003cli\u003eReview and harden the network perimeter to restrict access to vulnerable Java-based applications or services, minimizing the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement intrusion detection systems (IDS) or intrusion prevention systems (IPS) to detect and block malicious network traffic attempting to exploit CVE-2026-34282.\u003c/li\u003e\n\u003cli\u003eFor environments running sandboxed Java Web Start applications or applets, ensure that the Java sandbox is properly configured and up-to-date to mitigate the risk of running untrusted code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-java-dos/","summary":"CVE-2026-34282 is a remotely exploitable vulnerability in the Networking component of Oracle Java SE and GraalVM that allows an unauthenticated attacker to cause a complete denial of service.","title":"Oracle Java SE, GraalVM Networking Component Denial-of-Service Vulnerability (CVE-2026-34282)","url":"https://feed.craftedsignal.io/briefs/2026-04-java-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2021-45046"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jndi","java","log4shell","rce","exploitation"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies potential exploitation attempts targeting Java Naming and Directory Interface (JNDI) vulnerabilities. These vulnerabilities, exemplified by CVE-2021-45046, allow attackers to perform remote code execution by injecting malicious payloads through directory services like LDAP. The rule focuses on detecting suspicious outbound network connections from Java processes to standard ports associated with LDAP (389, 1389), RMI (1099), and DNS (53, 5353), followed by the execution of suspicious child processes indicative of command execution such as shell interpreters (sh, bash, zsh) or scripting languages (python, perl). The rule aims to identify exploitation attempts similar to those seen with Log4Shell and related vulnerabilities, which have been actively exploited since late 2021. It covers Linux and macOS environments and provides a mechanism to detect ongoing exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA vulnerable Java application receives malicious input containing a JNDI lookup string.\u003c/li\u003e\n\u003cli\u003eThe Java application attempts to resolve the JNDI name, initiating an outbound network connection to an LDAP, RMI, or DNS server on ports 389, 1389, 1099, 53, or 5353.\u003c/li\u003e\n\u003cli\u003eThe malicious LDAP/RMI/DNS server, controlled by the attacker, responds with a payload referencing a malicious Java class or remote code.\u003c/li\u003e\n\u003cli\u003eThe Java application loads and executes the malicious code.\u003c/li\u003e\n\u003cli\u003eAs a result of the executed code, a shell interpreter (sh, bash, zsh, etc.) or scripting language (python, perl, ruby, php, wget) is spawned as a child process of the Java application.\u003c/li\u003e\n\u003cli\u003eThe spawned shell/script executes attacker-controlled commands for reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions such as data exfiltration or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of JNDI vulnerabilities can lead to remote code execution, allowing attackers to gain complete control over affected systems. This can result in data breaches, system compromise, and further propagation of attacks within the network. The impact can range from service disruption to complete system takeover. Public exploits for vulnerabilities such as Log4Shell have been widely available, leading to widespread scanning and exploitation attempts across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential JAVA/JNDI Exploitation Attempt\u0026rdquo; to your SIEM to detect suspicious Java processes initiating network connections to LDAP, RMI, or DNS ports followed by suspicious child processes.\u003c/li\u003e\n\u003cli\u003eEnable process creation and network connection logging on Linux and macOS endpoints to provide the necessary data for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate Java applications that may trigger false positives due to legitimate network connections (see the \u0026ldquo;False positive analysis\u0026rdquo; section in the original rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of successful exploitation by restricting lateral movement.\u003c/li\u003e\n\u003cli\u003ePatch vulnerable Java applications and libraries, such as Log4j, to prevent exploitation of known vulnerabilities like CVE-2021-45046.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:24:53Z","date_published":"2026-04-01T14:24:53Z","id":"/briefs/2026-06-java-jndi-exploitation/","summary":"This rule detects a potential JAVA/JNDI exploitation attempt by identifying outbound network connections by JAVA to LDAP, RMI, or DNS standard ports followed by suspicious JAVA child processes such as shell interpreters and scripting languages, which may indicate a Java Naming and Directory Interface (JNDI) injection vulnerability exploitation attempt.","title":"Potential JAVA/JNDI Exploitation Attempt","url":"https://feed.craftedsignal.io/briefs/2026-06-java-jndi-exploitation/"}],"language":"en","title":"CraftedSignal Threat Feed — Java","version":"https://jsonfeed.org/version/1.1"}