You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Gabriel Lawrence <ga...@gmail.com> on 2015/11/08 04:27:15 UTC
Re: [collection][security] InvokerTransformer missused in java object
Howdy,
Thought I'd dive in here. Sorry that things got pointed in your direction
on this. That was out of our control. Chris and I had a bunch of
conversations about if we thought this was worth reporting to you when we
discovered it. Perhaps we made the wrong decision, hard to say. We don't
think this is a problem with the functionality in your library, instead its
with the core Serialization/Deserialization logic flows. Blaming you is
like blaming a library used to build a ROP chain and suggesting we brake or
remove the assembly that contributes to that ROP chain.
Assuming you fix/change your code, then its just a matter of finding
another similar gadget somewhere else....
Just thought i'd join in the discussion. I've joined the maillist.
Thanks,
Gabriel Lawrence
@gebl
Re: [collection][security] InvokerTransformer missused in java object
Posted by Mark Thomas <ma...@apache.org>.
On 08/11/2015 03:27, Gabriel Lawrence wrote:
> Howdy,
>
> Thought I'd dive in here. Sorry that things got pointed in your direction
> on this. That was out of our control. Chris and I had a bunch of
> conversations about if we thought this was worth reporting to you when we
> discovered it. Perhaps we made the wrong decision, hard to say. We don't
> think this is a problem with the functionality in your library, instead its
> with the core Serialization/Deserialization logic flows. Blaming you is
> like blaming a library used to build a ROP chain and suggesting we brake or
> remove the assembly that contributes to that ROP chain.
>
> Assuming you fix/change your code, then its just a matter of finding
> another similar gadget somewhere else....
Indeed. Although I'd guess the chances of Oracle changing the way
serialization works are pretty low. Unfortunately that leaves us playing
wack-a-mole.
> Just thought i'd join in the discussion. I've joined the maillist.
Welcome. Your input on this - or any other topic - is much appreciated.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org