oss-sec mailing list archives
Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 13 Nov 2015 09:16:10 -0800
The patch[1] attached to that JIRA report would disable serialization by default. Any application that needs it would require a code change to re-enable it. This would break existing applications.
Right... so that's still speculation. Speculation that apps actually need to serialize objects of those particular classes. There may very well be applications that do that, but I just want to be sure we're not overstating the downsides. tim
Current thread:
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw, (continued)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Pedro Vaz De Sousa Grilo (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 10)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 11)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 11)
- CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Lisa Bradley (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Oracle Security Alerts (Thomas) (Nov 17)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 15)
- Re: Re: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)