commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eirik Bjørsnøs <eir...@gmail.com>
Subject invoker-defender Java agent
Date Mon, 09 Nov 2015 11:34:03 GMT
Hi,

Following the "recent" "news" about Java deserialization security issues, I
decided to create:

https://github.com/kantega/invoker-defender/

This is a Java Agent which removes java.io.Serializable from classes known
to be vulnerable to deserialization attacks. (Including InvokerTransformer)

I do not in any way consider this a complete solution to the problem since
it only "fixes" a few well known classes.

But it might be something people could consider as a mitigation effort
while vendors/projects work on more long-term fixes.

Feedback is welcome.

Cheers,
Eirik.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message