Am 11.03.2016 um 14:59 schrieb Tim Bain:
> Is there a blacklist somewhere of known gadgets (JAR/version plus specific
> classes) so developers can check that they're not whitelisting known
> gadgets? Most developers aren't intimately versed in what classes are
> exploitable, and most aren't going t
Is there a blacklist somewhere of known gadgets (JAR/version plus specific
classes) so developers can check that they're not whitelisting known
gadgets? Most developers aren't intimately versed in what classes are
exploitable, and most aren't going to take the time to search if it's not
easy, so ha
Am 10.03.2016 um 18:35 schrieb wagonmaster:
> I'd like to find out some more details about the specific vulnerability
> motivations behind the whitelist fix for the java deserialization issue. I'd
> like to disambiguate between the addition of the feature for the whitelist
> and the specific java d
o
definitely that is a gadget vector for exploit.
https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=81ef5efdc749d9af2fc4150f92195132b1298423
--
View this message in context:
http://activemq.2283324.n4.nabble.com/java-deserialization-vulnerability-details-for-activemq-tp470917
