oss-sec mailing list archives

Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw

From: Tim <tim-security () sentinelchicken org>
Date: Fri, 13 Nov 2015 09:16:10 -0800

The patch[1] attached to that JIRA report would disable serialization by
default. Any application that needs it would require a code change to
re-enable it. This would break existing applications.


Right... so that's still speculation.  Speculation that apps actually
need to serialize objects of those particular classes.  There may very
well be applications that do that, but I just want to be sure we're
not overstating the downsides.

tim

Current thread:

Re: Assign CVE for common-collections remote code execution on deserialisation flaw, (continued)
- - Re: Assign CVE for common-collections remote code execution on deserialisation flaw Pedro Vaz De Sousa Grilo (Nov 09)
  - Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 09)
    - Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 09)
    - Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 10)
    - Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 11)
    - Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 11)
    - CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 12)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 12)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 13)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Lisa Bradley (Nov 13)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Oracle Security Alerts (Thomas) (Nov 17)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
    - Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 15)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Jason Shepherd (Nov 12)
  - Re: Re: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)

(Thread continues...)