Skip to content

SECURITY: Arbitrary binary deserialization leading to a variety of security impacts in restlet #778

Closed
thboileau opened this Issue Aug 22, 2013 · 1 comment

2 participants

@thboileau
Restlet member

Reported by David Jorm:
A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.

This might sound innocuous at first, but it is surprisingly common for classes to implement their own deserialization methods which are not secure when an attacker can call them with an arbitrary crafted instance of the object. This article provides a good explanation of the issue, and a solution to it:

http://www.ibm.com/developerworks/library/se-lookahead/

@thboileau thboileau was assigned Aug 22, 2013
@thboileau thboileau added a commit that referenced this issue Aug 22, 2013
@thboileau thboileau Fixed issue #778 - Removed default support of JavaBeans binary-serial…
…ization. Reported by David Jorm.
3234cf6
@thboileau thboileau added a commit that referenced this issue Aug 22, 2013
@thboileau thboileau Fixed issue #778 - Removed default support of JavaBeans binary-serial…
…ization. Reported by David Jorm.
f52c7d0
@thboileau thboileau added a commit that referenced this issue Aug 22, 2013
@thboileau thboileau Fixed issue #778 - Removed default support of JavaBeans binary-serial…
…ization. Reported by David Jorm.
3838f79
@thboileau thboileau added a commit that referenced this issue Sep 6, 2013
@thboileau thboileau Fixed issues #774, #778 - Removed default support of JavaBeans XML-de…
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
ae3ef64
@thboileau thboileau added a commit that referenced this issue Sep 6, 2013
@thboileau thboileau Fixed issues #774, #778 - Removed default support of JavaBeans XML-de…
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
b1b11fe
@jlouvel
Restlet member
jlouvel commented Sep 19, 2013

Thierry, can we close this issue?

@thboileau thboileau closed this Nov 18, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.