commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eirik Bjørsnøs <>
Subject invoker-defender Java agent
Date Mon, 09 Nov 2015 11:34:03 GMT

Following the "recent" "news" about Java deserialization security issues, I
decided to create:

This is a Java Agent which removes from classes known
to be vulnerable to deserialization attacks. (Including InvokerTransformer)

I do not in any way consider this a complete solution to the problem since
it only "fixes" a few well known classes.

But it might be something people could consider as a mitigation effort
while vendors/projects work on more long-term fixes.

Feedback is welcome.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message