Beginning with Release 12.2.9, you can use an API to place classes that require deserialization on an allowlist. The wrapper class oracle.apps.fnd.security.io.FilteredObjectInputStream.java sets the JEP filter for the ObjectInputStream such that all read* calls will go through a filtering mechanism.
The pattern as illustrated below represents the list of classes that are the expected classes in the deserialization process. If any other class's metadata is part of the stream, then deserialization will be rejected.
Identify all the classes involved in your Java code deserialization.
For example, the classes involved in deserialization might be:
java.lang.Double;java.lang.Float; java.lang.Short;java.lang.Byte; java.lang.Integer;oracle.apps.ieu.**
Replace the existing code with the new code following the example below.
import oracle.apps.fnd.security.io.FilteredObjectInputStream;
FilteredObjectInputStream fois = null;
new
try {
/** Create AOLJ wrapper inputStream by passing inputStream and pattern **/
String pattern = "java.lang.Double;java.lang.Float;java.lang.Short;java.lang.Byte;java.lang.Integer;java.lang.Boolean;java.lang.Object;java.lang.Long;java.lang.Number;oracle.apps.ieu.servlet.dbAccess.DALObject;oracle.apps.ieu.servlet.dbAccess.DALRow;oracle.apps.ieu.servlet.dbAccess.DALStatementData;oracle.apps.ieu.servlet.dbAccess.DALArray;oracle.apps.ieu.servlet.dbAccess.DALArrayDescriptor;oracle.apps.ieu.servlet.dbAccess.DALStruct;oracle.apps.ieu.servlet.dbAccess.DALStructDescriptor";
fois = new FilteredObjectInputStream(in /* InputStream */, pattern /* String of allowlist classes */);
/** instead of calling objin.readObject() call fois.readObject **/
Object obj = fois.readObject();
} catch(IOException ioe) {
Throwable cause = ioe.getCause();
if ((cause instanceof InvalidClassException) {
// log message "Most likely class rejection during deserialization"
}
// log ioe.getMessage();
}
finally {
fois.close();
}