**Vulnerability Details** - **Advisory ID:** SYSS-2019-039 - **Product:** Protection Licensing Toolkit, SoapUI/LoadUI/ServiceV Pro - **Manufacturer:** jProductivity LLC, SmartBear Software - **Affected Version(s):** ReadyAPI 3.2.5 - **Tested Version(s):** ReadyAPI 3.2.5 - **Vulnerability Type:** Unsafe deserialization/remote code execution (CWE-502) - **Risk Level:** High **Overview** - jProductivity Protection! is a licensing toolkit used by software vendors. - ReadyAPI uses jProductivity Protection licensing solution. **Vulnerability Details** - jProductivity Protection Licensing Toolkit uses RMI-based network protocols, which are vulnerable to deserialization attacks. - In the case of ReadyAPI, it can be exploited for remote code execution on the client side. **Proof of Concept (PoC)** - Setup a JRMP/RMI service returning a malicious serialized object graph. - When checking out a license from the rogue server, RMI calls lead to deserialization of attacker-provided data, executing arbitrary code. **Solution** - Avoid using Java serialization-based network protocols. - If unavoidable, use strict whitelist-based filtering. **Disclosure Timeline** - 2019-08-08: Vulnerability discovered. - 2019-09-02: Reported to manufacturer. - 2020-05-18: Public disclosure. **References** - [1] Product website for jProductivity Protection! - [2] Product website for ReadyAPI - [3] SYSS Security Advisory: SYSS-2019-039 - [5] ysoserial project **Credits** - Found by Moritz Bechler of SySS GmbH