JNDI supports the deserialization of objects from LDAP directories, which can lead to remote code execution.
JNDI can deserialize Java objects returned by an LDAP directory when SearchControls is configured with the
returningObjFlag parameter set to true. If the LDAP directory is untrusted or has been compromised, an attacker can inject a
malicious serialized object that executes arbitrary code on the server when deserialized.
If successfully exploited, an attacker who can control the content of the LDAP directory can craft a malicious serialized object that, when deserialized, executes arbitrary code on the server. This can lead to full system compromise, including data exfiltration, malware installation, or lateral movement within the network.
Set the returningObjFlag parameter to false when constructing SearchControls to prevent JNDI from
deserializing objects returned by the LDAP directory.
DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
new SearchControls(scope, countLimit, timeLimit, attributes,
true, // Noncompliant: allows deserialization
deref));
DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
new SearchControls(scope, countLimit, timeLimit, attributes,
false,
deref));