commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Carman <ja...@carmanconsulting.com>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 19:47:08 GMT
Runtime.exec can be prevented though

On Sun, Nov 8, 2015 at 2:31 PM Thomas Neidhart <thomas.neidhart@gmail.com>
wrote:

> On 11/08/2015 08:20 PM, James Carman wrote:
> > I think this entire thing can be prevented with a security manager and a
> > proper policy in place. Nobody does that, though
>
> You cannot prevent the use of reflection for public methods via a
> SecurityManager.
>
> If you then look at the different provided payloads you can see that an
> attacker can inject arbitrary bytecode that is being loaded.
>
> How would you prevent that such code is able to do anything harmful,
> especially considering that it is being executed in the security context
> of some trusted component?
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message