Vulnerability Details Advisory ID: SYSS-2019-039 Product: Protection Licensing Toolkit, SoapUI/LoadUI/ServiceV Pro Manufacturer: jProductivity LLC, SmartBear Software Affected Version(s): ReadyAPI 3.2.5 Tested Version(s): ReadyAPI 3.2.5 Vulnerability Type: Unsafe deserialization/remote code execution (CWE-502) Risk Level: High Overview jProductivity Protection! is a licensing toolkit used by software vendors. ReadyAPI uses jProductivity Protection licensing solution. Vulnerability Details jProductivity Protection Licensing Toolkit uses RMI-based network protocols, which are vulnerable to deserialization attacks. In the case of ReadyAPI, it can be exploited for remote code execution on the client side. Proof of Concept (PoC) Setup a JRMP/RMI service returning a malicious serialized object graph. When checking out a license from the rogue server, RMI calls lead to deserialization of attacker-provided data, executing arbitrary code. Solution Avoid using Java serialization-based network protocols. If unavoidable, use strict whitelist-based filtering. Disclosure Timeline 2019-08-08: Vulnerability discovered. 2019-09-02: Reported to manufacturer. 2020-05-18: Public disclosure. References [1] Product website for jProductivity Protection! [2] Product website for ReadyAPI [3] SYSS Security Advisory: SYSS-2019-039 [5] ysoserial project Credits Found by Moritz Bechler of SySS GmbH