Java — CraftedSignal Threat Feed

Hyperledger Fabric SDK Java Deserialization RCE

hello@craftedsignal.io — Wed, 29 Apr 2026 20:41:58 +0000

The fabric-sdk-java client SDK, a deprecated component of Hyperledger Fabric, contains a critical vulnerability related to insecure deserialization. Specifically, the Channel.java file implements readObject() and exposes deSerializeChannel() methods that call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This omission allows an attacker to inject malicious serialized Java objects, leading to remote code execution (RCE). While fabric-sdk-java has been deprecated since Hyperledger Fabric v2.5 and replaced by org.hyperledger.fabric:fabric-gateway, organizations that have not yet migrated are still vulnerable. This issue highlights the risks associated with using deprecated software and the importance of migrating to supported versions. The vulnerability exists in versions 1.0.0 through 2.2.26.

Attack Chain

Attacker crafts a malicious serialized Java object using a tool like ysoserial. For example, java -jar ysoserial.jar CommonsCollections6 "touch /tmp/pwned" > malicious_channel.ser.
The attacker gains the ability to supply crafted serialized Channel bytes to the client application. This could involve compromising a local channel file.
The attacker injects the malicious serialized data through an application that accepts Channel bytes from external sources.
The vulnerable deSerializeChannel() method in Channel.java is called with the attacker-controlled byte array.
Inside deSerializeChannel(), an ObjectInputStream is created from the byte array.
The readObject() method of ObjectInputStream is called without any ObjectInputFilter, deserializing the malicious object.
The deserialization process triggers the execution of a gadget chain embedded in the malicious object.
The gadget chain executes arbitrary code on the server, achieving RCE.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server running the vulnerable fabric-sdk-java application. This can lead to complete system compromise, data breaches, and other malicious activities. The severity is critical due to the potential for unauthenticated remote code execution. Organizations still using the deprecated fabric-sdk-java are at high risk until they migrate to the supported fabric-gateway.

Recommendation

Migrate to org.hyperledger.fabric:fabric-gateway immediately as the primary remediation, as it does not use Java serialization.
For organizations unable to migrate immediately, apply the suggested fix of adding an ObjectInputFilter to whitelist only expected classes as described in the advisory.
Implement runtime monitoring of Java deserialization to detect and prevent exploitation attempts.
Enable logging of deserialization events to aid in incident response.

Oracle Java SE, GraalVM Networking Component Denial-of-Service Vulnerability (CVE-2026-34282)

hello@craftedsignal.io — Wed, 22 Apr 2026 12:00:00 +0000

CVE-2026-34282 is a critical vulnerability affecting the Networking component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The vulnerability, present in versions 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26 of Oracle Java SE, GraalVM for JDK versions 17.0.18 and 21.0.10, and GraalVM Enterprise Edition 21.3.17, allows an unauthenticated attacker with network access to trigger a complete denial-of-service (DoS) condition. This is achieved by sending specially crafted network requests to APIs within the affected Networking component, potentially through web services. Successful exploitation results in a hang or repeatable crash of the Java SE or GraalVM instance. The vulnerability is particularly concerning for Java deployments running sandboxed Java Web Start applications or applets that load and execute untrusted code from sources like the internet.

Attack Chain

The attacker identifies a vulnerable Oracle Java SE or GraalVM instance accessible over the network. This could be a web server running a Java-based web application, or a client running a Java applet.
The attacker crafts a malicious network request specifically designed to exploit the Networking component vulnerability (CVE-2026-34282). The specific protocol is not defined, but the vulnerability description suggests multiple protocols could be leveraged.
The attacker sends the malicious request to a network port exposed by the vulnerable Java application or service. This could be port 80 (HTTP), 443 (HTTPS), or a custom port used by the application.
The vulnerable Networking component processes the malicious request. Due to the flaw in the code, the request triggers an unhandled exception or resource exhaustion within the Java Virtual Machine (JVM).
The JVM enters a hung state, becomes unresponsive, or crashes entirely. This could also lead to a repeatable crash loop.
Legitimate users of the application or service are unable to access it.
If the vulnerable application is critical to business operations, this can lead to significant disruption and financial loss.

Impact

Successful exploitation of CVE-2026-34282 leads to a complete denial-of-service condition. Affected Java SE and GraalVM instances become unresponsive or crash repeatedly, disrupting services and applications that rely on them. This vulnerability could impact various sectors, including finance, healthcare, and e-commerce, wherever Java-based applications are deployed. The potential number of victims is substantial, considering the widespread use of Java and GraalVM in enterprise environments. If exploited, it can cause significant downtime, data loss, and reputational damage.

Recommendation

Immediately apply the patches provided by Oracle for CVE-2026-34282 to all affected Oracle Java SE and GraalVM installations.
Monitor web server logs for suspicious network requests targeting Java-based applications to detect potential exploitation attempts. Deploy the Sigma rule Detect Suspicious Java Network Activity to identify anomalous network behavior related to Java processes.
Review and harden the network perimeter to restrict access to vulnerable Java-based applications or services, minimizing the attack surface.
Implement intrusion detection systems (IDS) or intrusion prevention systems (IPS) to detect and block malicious network traffic attempting to exploit CVE-2026-34282.
For environments running sandboxed Java Web Start applications or applets, ensure that the Java sandbox is properly configured and up-to-date to mitigate the risk of running untrusted code.

Potential JAVA/JNDI Exploitation Attempt

hello@craftedsignal.io — Wed, 01 Apr 2026 14:24:53 +0000

This detection rule identifies potential exploitation attempts targeting Java Naming and Directory Interface (JNDI) vulnerabilities. These vulnerabilities, exemplified by CVE-2021-45046, allow attackers to perform remote code execution by injecting malicious payloads through directory services like LDAP. The rule focuses on detecting suspicious outbound network connections from Java processes to standard ports associated with LDAP (389, 1389), RMI (1099), and DNS (53, 5353), followed by the execution of suspicious child processes indicative of command execution such as shell interpreters (sh, bash, zsh) or scripting languages (python, perl). The rule aims to identify exploitation attempts similar to those seen with Log4Shell and related vulnerabilities, which have been actively exploited since late 2021. It covers Linux and macOS environments and provides a mechanism to detect ongoing exploitation.

Attack Chain

A vulnerable Java application receives malicious input containing a JNDI lookup string.
The Java application attempts to resolve the JNDI name, initiating an outbound network connection to an LDAP, RMI, or DNS server on ports 389, 1389, 1099, 53, or 5353.
The malicious LDAP/RMI/DNS server, controlled by the attacker, responds with a payload referencing a malicious Java class or remote code.
The Java application loads and executes the malicious code.
As a result of the executed code, a shell interpreter (sh, bash, zsh, etc.) or scripting language (python, perl, ruby, php, wget) is spawned as a child process of the Java application.
The spawned shell/script executes attacker-controlled commands for reconnaissance, privilege escalation, or lateral movement.
The attacker gains a foothold on the system.
The attacker performs actions such as data exfiltration or deploying malware.

Impact

Successful exploitation of JNDI vulnerabilities can lead to remote code execution, allowing attackers to gain complete control over affected systems. This can result in data breaches, system compromise, and further propagation of attacks within the network. The impact can range from service disruption to complete system takeover. Public exploits for vulnerabilities such as Log4Shell have been widely available, leading to widespread scanning and exploitation attempts across various industries.

Recommendation

Deploy the Sigma rule “Potential JAVA/JNDI Exploitation Attempt” to your SIEM to detect suspicious Java processes initiating network connections to LDAP, RMI, or DNS ports followed by suspicious child processes.
Enable process creation and network connection logging on Linux and macOS endpoints to provide the necessary data for the Sigma rules to function correctly.
Review and whitelist legitimate Java applications that may trigger false positives due to legitimate network connections (see the “False positive analysis” section in the original rule’s note field).
Implement network segmentation to limit the impact of successful exploitation by restricting lateral movement.
Patch vulnerable Java applications and libraries, such as Log4j, to prevent exploitation of known vulnerabilities like CVE-2021-45046.