Date: Tue, 1 Mar 2016 20:09:52 +0000 From: Arshan Dabirsiaghi <arshan.dabirsiaghi@...trastsecurity.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE request: Kryo (Java serialization API) The Kryo serialization API (https://github.com/EsotericSoftware/kryo) doesn¹t enforce whitelisting by default, and thus allows side effects from constructors and finalizer methods in attacker-chosen types when deserializing. With the right gadgets available on the classpath, these side effects could lead to DoS, memory corruption, and possibly RCE. https://www.contrastsecurity.com/security-influencers/serialization-must-di e-act-1-kryo https://github.com/EsotericSoftware/kryo/issues/398 Thanks, -- Arshan Dabirsiaghi | Chief Scientist Contrast Security, Inc. <http://www.contrastsecurity.com/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.