oss-sec mailing list archives
CVE request: Kryo (Java serialization API)
From: Arshan Dabirsiaghi <arshan.dabirsiaghi () contrastsecurity com>
Date: Tue, 1 Mar 2016 20:09:52 +0000
The Kryo serialization API (https://github.com/EsotericSoftware/kryo) doesn¹t enforce whitelisting by default, and thus allows side effects from constructors and finalizer methods in attacker-chosen types when deserializing. With the right gadgets available on the classpath, these side effects could lead to DoS, memory corruption, and possibly RCE. https://www.contrastsecurity.com/security-influencers/serialization-must-di e-act-1-kryo https://github.com/EsotericSoftware/kryo/issues/398 Thanks, -- Arshan Dabirsiaghi | Chief Scientist Contrast Security, Inc. <http://www.contrastsecurity.com/>
Current thread:
- CVE request: Kryo (Java serialization API) Arshan Dabirsiaghi (Mar 01)