commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Struberg <strub...@yahoo.de>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 21:03:57 GMT
SecurityManager is an ancient part and heavily slows down the JVM. That’s the reason why
almost nobody is using it.

LieGrue,
strub


> Am 08.11.2015 um 20:20 schrieb James Carman <james@carmanconsulting.com>:
> 
> I think this entire thing can be prevented with a security manager and a
> proper policy in place. Nobody does that, though
> 
> On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart <thomas.neidhart@gmail.com>
> wrote:
> 
>> On 11/08/2015 07:51 PM, James Carman wrote:
>>> Couldn't they use the same attack vector to set a system property also? I
>>> do believe that would be possible
>> 
>> for this you need a way to execute code via a de-serialized class.
>> Right now, the simplest way to do so is via the InvokerTransformer.
>> 
>> There are surely other ways to do so, but if the only available way is
>> blocked (i.e. InvokerTransformer can not be deserialized), a remote
>> attacker cannot set a system property via this attack vector.
>> 
>> btw. setting a system property can also be restricted by a SecurityManager.
>> 
>> I am -1 on a programmatic interface, and for the 4.X branch I propose to
>> remove the serialization support completely.
>> 
>> Thomas
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message