Return-Path: <dev-return-12188-archive-asf-public=cust-asf.ponee.io@river.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 806E1200C1A
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 13 Feb 2017 16:10:32 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 7EF70160B60; Mon, 13 Feb 2017 15:10:32 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id CD1E6160B4D
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 13 Feb 2017 16:10:31 +0100 (CET)
Received: (qmail 16376 invoked by uid 500); 13 Feb 2017 15:10:31 -0000
Mailing-List: contact dev-help@river.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@river.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@river.apache.org>
List-Post: <mailto:dev@river.apache.org>
List-Id: <dev.river.apache.org>
Reply-To: dev@river.apache.org
Delivered-To: mailing list dev@river.apache.org
Received: (qmail 16364 invoked by uid 99); 13 Feb 2017 15:10:30 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2017 15:10:30 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 50D2DC0E29
	for <dev@river.apache.org>; Mon, 13 Feb 2017 15:10:30 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 3.744
X-Spam-Level: ***
X-Spam-Status: No, score=3.744 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, MIME_QP_LONG_LINE=0.001, MISSING_MIMEOLE=1.843]
	autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=zeus.net.au
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id oCqShpAZ5Skq for <dev@river.apache.org>;
	Mon, 13 Feb 2017 15:10:28 +0000 (UTC)
Received: from server-3r-r60.ipv4.au.syrahost.com (server-3r-r60.ipv4.au.syrahost.com [163.47.72.135])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 7A3435F36E
	for <dev@river.apache.org>; Mon, 13 Feb 2017 15:10:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zeus.net.au
	; s=default; h=Content-Type:MIME-Version:Message-ID:To:Subject:From:Date:
	Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=CR+b3t5im/cOnXDWPbX5dIaKEKaVJfHo79ZQol4hGqI=; b=iusBOMEpdEDHNkVYDc0zCpU0Ng
	82EZ/VA9q6LAfbc6G2K98gSDVUKTLZ/nrbTUrvtgaS8prapJjiNa2qHrEpDuBFvmfpIBzUb4T9lti
	4UZhsGHbm+Y2c3TzKBZTVn5xK3W+enFFu8EU9p8s0t5EZMTfOlRrsJQeD9HZBITN0G70=;
Received: from pa49-197-27-91.pa.qld.optusnet.com.au ([49.197.27.91]:15683 helo=[10.79.214.206])
	by webcloud66.au.syrahost.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256)
	(Exim 4.87)
	(envelope-from <jini@zeus.net.au>)
	id 1cdIGm-002HMq-DB
	for dev@river.apache.org; Mon, 13 Feb 2017 23:10:25 +0800
Date: Tue, 14 Feb 2017 01:09:18 +1000 (AEST)
From: Peter <jini@zeus.net.au>
Subject: Re: OSGi NP Complete Was: OSGi - deserialization remote invocation strategy
To: "dev@river.apache.org" <dev@river.apache.org>
Message-ID: <fca83c4fb1cc6c782794eabc3981851a@org.tizen.email>
MIME-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="8323328-1689486743-1486998558=:1309"
X-Priority: 3
X-MSMail-Priority: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - webcloud66.au.syrahost.com
X-AntiAbuse: Original Domain - river.apache.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - zeus.net.au
X-Get-Message-Sender-Via: webcloud66.au.syrahost.com: authenticated_id: jini@zeus.net.au
X-Authenticated-Sender: webcloud66.au.syrahost.com: jini@zeus.net.au
X-Source: 
X-Source-Args: 
X-Source-Dir: 
archived-at: Mon, 13 Feb 2017 15:10:32 -0000

--8323328-1689486743-1486998558=:1309
Content-Type: TEXT/plain; CHARSET=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

I did notice that.=0A=0AAre you comnnected to a network and performing dese=
rialization without input validation? =C2=A0 Does the secure endpoint allow=
 anon clients? =C2=A0That is even if you are using client certificates does=
 the endpoint allow anon? =C2=A0Does your endpoint allow insecure cyphers?=
=0A=0AHave a look at the changes in JGDMS.=0A=0ASafeServiceRegistrar authen=
ticates and performs input validation first.=0A=0ARegards,=0A=0APeter.=0A=
=0ASent from my Samsung device.=0A=C2=A0=0A=C2=A0=C2=A0Include original mes=
sage=0A---- Original message ----=0AFrom: Micha=C5=82 K=C5=82eczek <michal@=
kleczek.org>=0ASent: 14/02/2017 12:42:43 am=0ATo: dev@river.apache.org=0ASu=
bject: Re: OSGi NP Complete Was: OSGi - deserialization remote invocation s=
trategy=0A=0AI=C2=A0fail=C2=A0to=C2=A0understand=C2=A0how=C2=A0you=C2=A0are=
=C2=A0more=C2=A0vulnerable=C2=A0because=C2=A0of=C2=A0trusted=C2=A0 =0Alocal=
=C2=A0class=C2=A0that=C2=A0securely=C2=A0downloads=C2=A0code=C2=A0on=C2=A0b=
ehalf=C2=A0of=C2=A0a=C2=A0service. =0A=0AAnd=C2=A0how=C2=A0in=C2=A0terms=C2=
=A0of=C2=A0security=C2=A0it=C2=A0is=C2=A0different=C2=A0from=C2=A0your=C2=
=A0 =0ASecureServiceRegistrar. =0A=0AThanks, =0AMichal =0A=0APeter=C2=A0wro=
te: =0A>=C2=A0Then=C2=A0you=C2=A0are=C2=A0vulnerable=C2=A0to=C2=A0deseriali=
zation=C2=A0gadget=C2=A0attacks,=C2=A0insecure=C2=A0cyphers=C2=A0anon=C2=A0certs=
=C2=A0etc.=C2=A0 =0A> =0A>=C2=A0JGDMS=C2=A0is=C2=A0as=C2=A0secure=C2=A0as=
=C2=A0possible=C2=A0with=C2=A0current=C2=A0cyphers,=C2=A0no=C2=A0anon=C2=A0=
certs,=C2=A0no=C2=A0known=C2=A0insecure=C2=A0cyphers=C2=A0(tlsv1.2),=C2=A0i=
nput=C2=A0validation=C2=A0during=C2=A0deserialization,=C2=A0delayed=C2=A0un=
marshalling=C2=A0with=C2=A0authentication. =0A> =0A>=C2=A0I=C2=A0don't=C2=
=A0see=C2=A0why=C2=A0a=C2=A0compelling=C2=A0reason=C2=A0to=C2=A0give=C2=A0t=
hat=C2=A0up=C2=A0for=C2=A0a=C2=A0local=C2=A0class=C2=A0with=C2=A0a=C2=A0rea=
dResolve=C2=A0method? =0A> =0A>=C2=A0Sorry. =0A> =0A>=C2=A0Regards, =0A> =
=0A>=C2=A0Peter. =0A>=C2=A0Sent=C2=A0from=C2=A0my=C2=A0Samsung=C2=A0device.=
 =0A>=C2=A0=C2=A0=C2=A0 =0A>=C2=A0=C2=A0=C2=A0=C2=A0Include=C2=A0original=
=C2=A0message =0A>=C2=A0----=C2=A0Original=C2=A0message=C2=A0---- =0A>=C2=
=A0From:=C2=A0Micha=C5=82=C2=A0K=C5=82eczek<michal@kleczek.org> =0A>=C2=A0S=
ent:=C2=A014/02/2017=C2=A012:14:41=C2=A0am =0A>=C2=A0To:=C2=A0dev@river.apa=
che.org =0A>=C2=A0Subject:=C2=A0Re:=C2=A0OSGi=C2=A0NP=C2=A0Complete=C2=A0Wa=
s:=C2=A0OSGi=C2=A0-=C2=A0deserialization=C2=A0remote=C2=A0invocation=C2=A0s=
trategy =0A> =0A> =0A>=C2=A0Peter=C2=A0wrote: =0A>>=C2=A0=C2=A0=C2=A0In=C2=
=A0jgdms=C2=A0I've=C2=A0enabled=C2=A0support=C2=A0for=C2=A0https=C2=A0unica=
st=C2=A0lookup=C2=A0in=C2=A0LookupLocator=C2=A0this=C2=A0establishes=C2=A0a=
=C2=A0connection=C2=A0to=C2=A0a=C2=A0Registrar=C2=A0only,=C2=A0not=C2=A0any=
=C2=A0service.=C2=A0=C2=A0This=C2=A0functionality=C2=A0doesn't=C2=A0exist=
=C2=A0in=C2=A0River. =0A>> =0A>>=C2=A0=C2=A0=C2=A0How=C2=A0do=C2=A0you=C2=A0propose=C2=A0establi=
shing=C2=A0a=C2=A0connection=C2=A0using=C2=A0one=C2=A0of=C2=A0these=C2=A0en=
dpoints? =0A>=C2=A0I=C2=A0am=C2=A0not=C2=A0sure=C2=A0I=C2=A0understand=C2=
=A0the=C2=A0question. =0A>=C2=A0In=C2=A0exactly=C2=A0the=C2=A0same=C2=A0way=
=C2=A0how=C2=A0today=C2=A0the=C2=A0connection=C2=A0is=C2=A0established=C2=
=A0by=C2=A0for=C2=A0 =0A>=C2=A0example=C2=A0a=C2=A0ProxyTrust=C2=A0instance=
 =0A> =0A>=C2=A0Thanks, =0A>=C2=A0Michal =0A> =0A> =0A=0A

--8323328-1689486743-1486998558=:1309--