commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Carman <ja...@carmanconsulting.com>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 19:20:06 GMT
I think this entire thing can be prevented with a security manager and a
proper policy in place. Nobody does that, though

On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart <thomas.neidhart@gmail.com>
wrote:

> On 11/08/2015 07:51 PM, James Carman wrote:
> > Couldn't they use the same attack vector to set a system property also? I
> > do believe that would be possible
>
> for this you need a way to execute code via a de-serialized class.
> Right now, the simplest way to do so is via the InvokerTransformer.
>
> There are surely other ways to do so, but if the only available way is
> blocked (i.e. InvokerTransformer can not be deserialized), a remote
> attacker cannot set a system property via this attack vector.
>
> btw. setting a system property can also be restricted by a SecurityManager.
>
> I am -1 on a programmatic interface, and for the 4.X branch I propose to
> remove the serialization support completely.
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message