commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <thomas.neidh...@gmail.com>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 19:10:31 GMT
On 11/08/2015 07:51 PM, James Carman wrote:
> Couldn't they use the same attack vector to set a system property also? I
> do believe that would be possible

for this you need a way to execute code via a de-serialized class.
Right now, the simplest way to do so is via the InvokerTransformer.

There are surely other ways to do so, but if the only available way is
blocked (i.e. InvokerTransformer can not be deserialized), a remote
attacker cannot set a system property via this attack vector.

btw. setting a system property can also be restricted by a SecurityManager.

I am -1 on a programmatic interface, and for the 4.X branch I propose to
remove the serialization support completely.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message