Return-Path: X-Original-To: apmail-commons-dev-archive@www.apache.org Delivered-To: apmail-commons-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AE9C718D33 for ; Mon, 9 Nov 2015 21:11:07 +0000 (UTC) Received: (qmail 99964 invoked by uid 500); 9 Nov 2015 21:11:07 -0000 Delivered-To: apmail-commons-dev-archive@commons.apache.org Received: (qmail 99824 invoked by uid 500); 9 Nov 2015 21:11:07 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 99802 invoked by uid 99); 9 Nov 2015 21:11:07 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Nov 2015 21:11:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9BDF2180440 for ; Mon, 9 Nov 2015 21:11:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.12 X-Spam-Level: X-Spam-Status: No, score=-0.12 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id Sm-OqR9ekRUF for ; Mon, 9 Nov 2015 21:10:59 +0000 (UTC) Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 5B5F944194 for ; Mon, 9 Nov 2015 21:10:59 +0000 (UTC) Received: by wmec201 with SMTP id c201so88166733wme.1 for ; Mon, 09 Nov 2015 13:10:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=2ctfs/wA1y+vck55/PykcH2tRnJ3DbJxpO2p5+5WCo0=; b=Xi3IiGYrz2mMrqRsVRvn8VaSHeHqtt3+iMXDy71nOfBItBOW7wsZOC+5m/I0xlV7fX 0HK2woDlNmEsJYpqnw+XCnpx9DadvV5/M6+jUMdQOQiTmp6+3MH747083YtZqRHLyxK0 qqEs0a9vC0g06dd2fphOeSNG+uHKm4Sd5P0TdCcTFmUU1QUM+FCKVc+8vnZfQj8Boldm hDv1aNSVWJ+ONInhDv1bQoFcLpwlrlw2AP3P5DsOsNSLzHhrGUC1a7RwKD8r0utR6P0f SYxz30sv2hGhT1j9TOd8x6gOEoblI39dOPcf8omU8yG52ckAK+OOBpxfiQK6Rx9ZyG49 mLjA== X-Received: by 10.28.55.138 with SMTP id e132mr538188wma.86.1447103452600; Mon, 09 Nov 2015 13:10:52 -0800 (PST) Received: from [192.168.1.4] (ip-81-11-244-94.dsl.scarlet.be. [81.11.244.94]) by smtp.gmail.com with ESMTPSA id 194sm512985wmh.19.2015.11.09.13.10.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Nov 2015 13:10:51 -0800 (PST) Subject: Re: invoker-defender Java agent To: Commons Developers List References: From: Thomas Neidhart Message-ID: <56410BDA.3050802@gmail.com> Date: Mon, 9 Nov 2015 22:10:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 11/09/2015 12:34 PM, Eirik Bjørsnøs wrote: > Hi, > > Following the "recent" "news" about Java deserialization security issues, I > decided to create: > > https://github.com/kantega/invoker-defender/ > > This is a Java Agent which removes java.io.Serializable from classes known > to be vulnerable to deserialization attacks. (Including InvokerTransformer) > > I do not in any way consider this a complete solution to the problem since > it only "fixes" a few well known classes. > > But it might be something people could consider as a mitigation effort > while vendors/projects work on more long-term fixes. > > Feedback is welcome. Thanks for sharing your work here. Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org For additional commands, e-mail: dev-help@commons.apache.org