-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leaking deserialization protection on Externalizables #15346
Comments
…nd Deadlock in Map index
…nd Deadlock in Map index
…nd Deadlock in Map index
…nd Deadlock in Map index
Would it be possible for someone to describe specifically how an attacker might use this vulnerability? From what I am reading it sounds like an attacker would need to send a malformed Join request that tricks Hazelcast into deserializing a rogue class that is on the classpath of the service accepting the join request. Is that accurate? |
@kwart can you provide an answer for the question or confirm it? |
We don't publish details on attack vectors. Sorry. |
The deserialization filter doesn't properly protect against vulnerable
Externalizable
classes. The filtering has to be extended.The issue was discovered by @Mak-Sym and reported on Hazelcast google group - https://groups.google.com/forum/#!topic/hazelcast/B_RAv7gTVPU.
The text was updated successfully, but these errors were encountered: