https://www.secdev.uk/blog/tags/log4shell/ Recent content in Log4Shell on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 13 Sep 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-09-13-java-security-spring-boot-deserialization/ Sat, 13 Sep 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-09-13-java-security-spring-boot-deserialization/ <p>Java has this reputation for being &ldquo;safe&rdquo; because of its type system, managed memory, and mature ecosystem. The more I&rsquo;ve dug into Java security, the more I think that reputation is misleading, and honestly, a bit dangerous. Java&rsquo;s security pitfalls aren&rsquo;t about buffer overflows or memory corruption. They&rsquo;re about the language&rsquo;s powerful runtime features: deserialization, reflection, JNDI lookups, expression languages, and the Spring framework&rsquo;s convention-over-configuration philosophy that silently enables dangerous defaults. In this post I want to walk through the Java-specific anti-patterns that lead to remote code execution, data leaks, and authentication bypasses, from the classic <code>ObjectInputStream</code> gadget chain to the Spring Boot actuator endpoint that can expose entire environments.</p>