Dear Clojure community, First off, apologies for directing this at the general clojure mailing list. I was looking for a better destination, but I couldn't find any obvious person or private mailing list to direct this to; hopefully from here this can get in front of anyone who may be interested.
I recently identified a means to exploit an application performing unsafe deserialization by utilizing a "gadget chain" contained entirely in Clojure classes. What this means is that any application which is deserializing untrusted data and has Clojure on the classpath (whether or not it is actually using Clojure) is subject to a remote code execution exploit. Some more information on this form of vulnerability is available on the OWASP wiki <https://www.owasp.org/index.php/Deserialization_of_untrusted_data>, which also has a number of useful links for deeper discussion. Details of the specific gadget chain I found can be seen here <https://github.com/frohoff/ysoserial/pull/68/files>. This does not represent a "security vulnerability" in Clojure, and I do not necessarily believe that any action needs to be taken. If an application is subject to exploit via this gadget chain, the vulnerability is with application deserializing untrusted data. However, when deserialization vulnerabilities became a hot topic a couple of years ago with the discovery of a gadget chain in apache-commons <https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>, that project received a lot of attention and some made the argument that the projects which support exploitable gadget chains should apply some form of mitigation. For this reason, I wanted to give maintainers of this project a heads-up in case there was any particular action you want to take. If you have any questions or if there's anything I can clarify, please don't hesitate to reach out to me. Ian Haken Twitter: @ianhaken -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
