I'd like to find out some more details about the specific vulnerability motivations behind the whitelist fix for the java deserialization issue. I'd like to disambiguate between the addition of the feature for the whitelist and the specific java deserialization exploit vectors using the gadget chains.
My main goal is to determine whether activemq has any inherent exploitable deserialization gadget outside of commons collections. In other words, the whitelist is a precaution and good proactive security, but the real 'fix' is the updated dependency. There were no changes to any API for activemq that could have been leveraged as a gadget, correct? The implications are that it is minimally sufficient to remediate the commons-collections library alone with a * whitelist for the current releases, and for older releases to just update the commons-collections library. The latter would not provide the safety net the white list provides but would remediate the immediate danger. Is my assessment correct? 1. ActiveMQ contains a dependency on the known vulnerable library - commons-collections The commit for 5.12.2 updates the depedency on commons collections, so definitely that is a gadget vector for exploit. https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=81ef5efdc749d9af2fc4150f92195132b1298423 -- View this message in context: http://activemq.2283324.n4.nabble.com/java-deserialization-vulnerability-details-for-activemq-tp4709176.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
