commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <thomas.neidh...@gmail.com>
Subject Re: invoker-defender Java agent
Date Mon, 09 Nov 2015 21:10:50 GMT
On 11/09/2015 12:34 PM, Eirik Bjørsnøs wrote:
> Hi,
> 
> Following the "recent" "news" about Java deserialization security issues, I
> decided to create:
> 
> https://github.com/kantega/invoker-defender/
> 
> This is a Java Agent which removes java.io.Serializable from classes known
> to be vulnerable to deserialization attacks. (Including InvokerTransformer)
> 
> I do not in any way consider this a complete solution to the problem since
> it only "fixes" a few well known classes.
> 
> But it might be something people could consider as a mitigation effort
> while vendors/projects work on more long-term fixes.
> 
> Feedback is welcome.

Thanks for sharing your work here.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message