You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2015/12/15 21:59:46 UTC
[jira] [Commented] (CXF-6711) Aegis Databinding Deserialization
Vulnerability
[ https://issues.apache.org/jira/browse/CXF-6711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058793#comment-15058793 ]
Daniel Kulp commented on CXF-6711:
----------------------------------
Honestly, I cannot figure out how that would be set to "true".
It defaults to false, which is good. There is no configuration that can be used to set it to true. The only way would be to use java code to dig through the Aegis registry to find the ObjectType and then manually set it. Not likely to happen.
In addition, even if you can figure out how to set it, it doesn't even work "correctly". If set, it should have written out in base64 if unknown. It doesn't do that. It still writes as xml elements as if there was a schema. The only thing setting this to true would allow is some level of acceptance of messages that are NOT coming from CXF clients. Thus, there is likely NO reason to have ever set this to true. My only thinking is that this is some remnant of old XFire code that wasn't fully removed. I'm going to go ahead and remove it.
> Aegis Databinding Deserialization Vulnerability
> -----------------------------------------------
>
> Key: CXF-6711
> URL: https://issues.apache.org/jira/browse/CXF-6711
> Project: CXF
> Issue Type: Bug
> Components: Aegis Databinding
> Affects Versions: 3.1.4
> Reporter: Moritz Bechler
>
> Just had a quick look after the topic came up on -users. Aegis Databiding seems to perform unsafe deserialization when serializedWhenUnknown=true. Now sure how common that is (and actually no experience with aegis at all), but if used and enabled that's pretty much direct remote code execution.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)