OpenJDK prior to 8u181 : ObjectInputStream filterCheck method throws NullPointerException in JBoss EAP 7.4 Update 13+

Environment

• Red Hat JBoss Enterprise Application Platform (EAP) 7.4 Update 13
• OpenJDK 8 earlier than 8u181

Issue

• OpenJDK prior to 8u181 : ObjectInputStream filterCheck method throws NullPointerException in JBoss EAP 7.4 Update 13+
• After updating to EAP 7.4.13+, our JBoss instance is failing to start with older JDKs:

2024-01-03 18:36:14,980 INFO  [org.jboss.modules] (main) JBoss Modules version 1.12.2.Final-redhat-00001
2024-01-03 18:36:15,243 FATAL [org.jboss.as.server] (main) WFLYSRV0239: Aborting with exit code 1

Resolution

Update the JDK to to resolve the bug :

ObjectInputStream filterCheck method throws NullPointerException

• Content from bugs.openjdk.org is not included.JDK-8203368 - JDK 11
• Content from bugs.openjdk.org is not included.JDK-8205099 - 8u181
• Content from bugs.openjdk.org is not included.JDK-8205584 - 8u191
• Content from bugs.openjdk.org is not included.JDK-8204129 - 8u192
• Content from bugs.openjdk.org is not included.JDK-8208967 - 8u201

Root Cause

EAP 7.4 Update 13+ included a fix for CVE-2023-3171, this fix uses the ObjectInputStream filter to protect agains the deserialization CVE. OpenJDK had the bug mentioned above that causes a NullPointerException. OpenJDK needs to be updated for the bug fix to prevent the error. Disabling the CVE-2023-3171 protection in EAP 7.4 does not prevent the OpenJDK bug since the filtering would still invoke with a default filter and have the NullPointerException due to the JDK bug.

Related Solutions:

• How to Filter Incoming Serialization Data in JBoss EAP 8 / 7.4

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.