On the relevance of Java vulnerabilities identified by threat intelligence

DegreeMaster
StatusAvailable
Supervisor(s)Dr. Simon Koch

Description

Threat intelligence provides software developers with information about potential vulnerabilities in their software projects and their dependencies. However, the relevance of this information is not always certain, and the question arises of how well detected vulnerabilities are actually exploitable.

The objective of this Master’s thesis is to understand the security implications of vulnerabilities identified by threat intelligence. To this end, the student first collects threat intelligence to identify a set of vulnerabilities across dependencies in OSS projects written in Java, and then analyzes their exploitability. Part of the task is to define a reliable analysis procedure that ensures quantitative insights can be extracted from the analyzed statistics. In the thesis, the student documents the analysis procedure in general and by example, justifies it, discusses corner cases, and applies the procedure to a set vulnerabilities extracted from threat intelligence. They resulting dataset is analyzed for noteworthy patterns and submitted with the thesis. Implications for threat intelligence are derived, and recommendations are made for prioritising action on threat intelligence sources.

References

  • O’Donoghue, E., Boles, B., Izurieta, C., and Reinhold, A.M. Impacts of Software Bill of Materials (SBOM) Generation on Vulnerability Detection. In Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED). 10.1145/3689944.3696164, 2024, pp. 67–76.
  • Li, V.G., Dunn, M., Pearce, P., et al. Reading the Tea Leaves: A Comparative Analysis of Threat Intelligence. In USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity19/presentation/li, 2019.
  • Syar, I., Bartel, A., Bodden, E., and Le Traon, Y. An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. In ACM Transactions on Software Engineering and Methodology. 10.1145/3554732, 2023.
  • Wunder, J., Kurtz, A., Eichenmüller, C., Gassman, F., and Benenson, Z. Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities. In IEEE Symposium on Security and Privacy. 0.1109/SP54263.2024.00058, 2025.