commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriel Lawrence <>
Subject Re: [COLLECTIONS] Bad press on twitter following serialization issue
Date Sun, 08 Nov 2015 18:10:12 GMT
If you guys want to put together a blog post about this, Chris and I would
be happy to help. We've tried to be pretty clear to people that this isnt a
problem with the libraries, but something that should be addressed by the
deserializer either by not deserializing from a trusted source or by
hacking in their own way to whitelist types allowed to be deserialized.

I think the core message is that object instantiation is code execution,
don't give untrusted folks the ability to instantiate arbitrary objects or
you are going to have a bad day. Pulling together gadgets is a painful
search, but the idea that you can find them all and eliminate them seems
flawed. There are likely going to be things in your classpath that do stuff
similar to the set of gadgets Chris found that rely on the apache library
in tuns of other class libraries as well.

Let us know. Since this broke out on twitter we've both been trying hard to
get the description of the root of the problem to be changed. But, it seems
to have stuck for some reason... maybe because having it be a simple fix is
just more desirable to people :-) Even when it isn't.


On Sun, Nov 8, 2015 at 1:41 AM, Benedikt Ritter <> wrote:

> Hi,
> there is a lot of bad talk going on at twitter [1,2,3] and I'm wondering
> whether we should respond to this via the Apache blog.
> Thoughts?
> Benedikt
> [1]
> [2]
> [3]
> --

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message