oss-sec mailing list archives
Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw
From: Mark Felder <feld () feld me>
Date: Fri, 13 Nov 2015 08:21:18 -0600
On Thu, Nov 12, 2015, at 17:22, Tim wrote:
The currently proposed "fix"[1] is to disable functionality that is being used. This will break applications that need them. [1] https://issues.apache.org/jira/browse/COLLECTIONS-580I just read through that thread and I did not see anyone indicating that the fix breaks applications. Only speculation. Perhaps you meant to link us somewhere else? tim
The patch[1] attached to that JIRA report would disable serialization by default. Any application that needs it would require a code change to re-enable it. This would break existing applications. + "Serialization and deserialization of InvokerTransformer are disabled for security reasons. " + + "To re-enable it set, system property '" + DESERIALIZE + "' to 'true'." + + "See https://issues.apache.org/jira/browse/COLLECTIONS-580 for details."); [1] https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch -- Mark Felder feld () feld me
Current thread:
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw, (continued)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Florian Weimer (Nov 08)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Pedro Vaz De Sousa Grilo (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 10)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 11)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 11)
- CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Lisa Bradley (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Oracle Security Alerts (Thomas) (Nov 17)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Florian Weimer (Nov 08)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 15)