On 11/09/2015 12:34 PM, Eirik Bjørsnøs wrote: > Hi, > > Following the "recent" "news" about Java deserialization security issues, I > decided to create: > > https://github.com/kantega/invoker-defender/ > > This is a Java Agent which removes java.io.Serializable from classes known > to be vulnerable to deserialization attacks. (Including InvokerTransformer) > > I do not in any way consider this a complete solution to the problem since > it only "fixes" a few well known classes. > > But it might be something people could consider as a mitigation effort > while vendors/projects work on more long-term fixes. > > Feedback is welcome.
Thanks for sharing your work here. Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
