JNDI supports the deserialization of objects from LDAP directories, which can lead to remote code execution.

Why is this an issue?

JNDI can deserialize Java objects returned by an LDAP directory when SearchControls is configured with the returningObjFlag parameter set to true. If the LDAP directory is untrusted or has been compromised, an attacker can inject a malicious serialized object that executes arbitrary code on the server when deserialized.

What is the potential impact?

If successfully exploited, an attacker who can control the content of the LDAP directory can craft a malicious serialized object that, when deserialized, executes arbitrary code on the server. This can lead to full system compromise, including data exfiltration, malware installation, or lateral movement within the network.

How to fix it

Set the returningObjFlag parameter to false when constructing SearchControls to prevent JNDI from deserializing objects returned by the LDAP directory.

Code examples

Noncompliant code example

DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
        new SearchControls(scope, countLimit, timeLimit, attributes,
            true, // Noncompliant: allows deserialization
            deref));

Compliant solution

DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
        new SearchControls(scope, countLimit, timeLimit, attributes,
            false,
            deref));

Resources

Articles & blog posts

Standards