Oracle plans to remove serialization capabilities from Java because it has always been a thorny issue in security. Java serialization is also known as Java object serialization. This function is used to encode objects into byte streams. Mark Reinhold, the chief architect of Oracle’s Java platform group, said: “Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features.“
In order to replace the current serialization technology, once recorded, a small serialization framework will be placed in the platform to support the Java version of the data class. The framework can support the recording of graphics, developers can insert their choice of serialization engine, support JSON or XML and other formats, in order to serialize records in a secure manner. However, Reinhold cannot yet determine which version of Java will have logging capabilities. Serialization was a “horrible mistake” in 1997, Reinhold said. He estimates that at least one-third or even half of the Java vulnerabilities involve serialization, serialization is generally fragile, but it has features that are easy to use in simple use cases.
Source: InfoWorld