Problem

Axway was made aware of a possible deserialization vulnerability. To mitigate the risks associated with it, SecureTransport uses a strict global filtering mechanism, based on the JEP-290 specification. If your deployment uses legacy customization that relies on serialization, that customization may stop working.

Resolution

After installing SecureTransport 5.5-20210930 or SecureTransport 5.4 Patch 55, you need to verify that your legacy custom code continues to work as expected. In case the custom extension uses in any way Java serialization, directly or indirectly (via third-party dependencies), this code may stop working. There are two ways to solve this.

Consider refactoring the customizations to eliminate serialization from their implementation. Axway recommends against the use of serialization or third-party libraries that use serialization internally when developing product extensions.

Whitelist the third parties that require serialization to allow them to deserialize. Follow the instructions below to whitelist the required third-party libraries.

Whitelisting

By default, the safe-deserialization.txt configuration file is embedded in the $FILEDRIVEHOME/lib/jars/stcore.jar archive. To add additional patterns to it (third-party plugins or any other custom code that uses deserialization), extract the file and place it in the $FILEDRIVEHOME/conf folder. Note that SecureTransport must be restarted to reload the deserialization patterns from the new location.

Extracting

To extract the file, use either the jar or unzip command:

jar xf $FILEDRIVEHOME/lib/jars/stcore.jar safe-deserialization.txt && mv safe-deserialization.txt $FILEDRIVEHOME/conf/safe-deserialization.txt

unzip -p $FILEDRIVEHOME/lib/jars/stcore.jar > $FILEDRIVEHOME/conf/safe-deserialization.txt

Pattern language

A filter is configured as a sequence of patterns. Each pattern is either matched against the name of a class in the stream or a limit. Patterns are separated by newline in the configuration file. Whitespace is significant and is considered part of the pattern. For more information, see the JEP-290 specifications.

When adding patterns, always make sure to be as precise as possible. Allowing too many classes might open the system to exploits.