[jersey-dev] Kryo serialization issue in jersey

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jersey-dev] Kryo serialization issue in jersey

From: "Parkala, Sourabh Sarvotham" <sourabh.sarvotham.parkala@xxxxxxx>
Date: Tue, 4 Aug 2020 10:19:48 +0000
Accept-language: en-IN, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sap.com; dmarc=pass action=none header.from=sap.com; dkim=pass header.d=sap.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aIgby309waPgtOUByTvcJExQasnrSI0hPwOgLsg4wF8=; b=Tq+4WEWpWjtrmTIncp8OP0uvTjuvNMf6K6I2z3k9U7lu3C4XSbSWAui88E/G8QGHyJos/LS9hOGdi1f1IkUZN7ir0y/bADTWNAlrVa3D5HU+cngy3tQRLP/Snj3aAr4G4ko7ZXKhAC2htnmBAlNf6y0TqvUPhaSUDFaDs9BXrGCFQh55B+aumnL9No4Qn1SqBv3f8SiVTqXUKD4mFVCQQyibjnhfI1KfTLgavodRrylyZKn60vepLfw/zqJJ2OGcfyROta2TOL2KZi7ILf1PqnFBlYq/XsIgdroRQlFw7YhXIhK5iWxuUz2y95aAzOf9shK9evqDQhMH3qs/NaoyTw==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Oy8DgifjHPZ9ha4t/e/3n+BRUk/w++w9Oleh4mnAaOOZRNDTFT9xTiH0CuexrnfUJdWAUS/9qyKm6UGBHERM0zDb9RKuGk16V3pvXnq7XDKwyuhV8ePxkDPT46nXhyeT9E3t0SnN2FGjcZNk+6GXcKOy1J7U4lcG+zQdFhnB0V6LkM1GLWYEVr30x2quEhczrKVPw6mRPu8AtWoqwliJPI6T0VTFIWyT/EyyFl4CEMs8v1phVXVhsjUYuE+xHUXZnJMR5TvAl8QYNfp3RsX5nsXGd9+BbGGKkfvcjx1VybgliixcpVq8zXWFacvH/oPqi3zYx+2eknbNfRk3TtLlrg==
Delivered-to: jersey-dev@xxxxxxxxxxx
Ironport-sdr: WiPW4+lSKUUtbFrSBkC/OFu9k7AiFQ3z7zunlqUSCZ5dANeS/gbm1b4NtSf/4WkdlDs6uxbqKH buXzJxR1d6hBn7fFGvN8D3b8yNlpgjWZ4WH4jyxzQNIKVW1DuysLEdAJhXu9kv1O7FXWS/o7Ao o+Pc1dQiQfYhzwqVIAQ7S6hZJBqbK9lyDB6KBTxj3VteEjkUWfLgy/Tb1eqJ9Pab8UCqsULAzG kTCmKZN2Z4dfybin6CfwCohFQ+UywjXqx31dK5kO2gWAGM/gRUT+ZwRYtYudzjPXLSOkRu9Emi knhJZar9f+uprVasUX7zgE1p
List-archive: <https://www.eclipse.org/mailman/private/jersey-dev>
List-help: <mailto:jersey-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jersey-dev>, <mailto:jersey-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jersey-dev>, <mailto:jersey-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AdZqRqcngnXJ+YY1RXyANElxr2QZmgAAgGVg
Thread-topic: Kryo serialization issue in jersey

Hello,

I am Sourabh, working on security aspects of OSS libraries in SAP.

We came across a vulnerability associated to [1]. This vulnerability is being reported from com.esotericsoftware:kryo:4.0.1, as part of org.glassfish.jersey.media:jersey-media-kryo:2.29.1.

The vulnerability dictates that Type Registration should be turned on by default.

I had a chance to look through your code in [2]. I see that you guys are explicitly making sure that the Class Type registration happens by default.

So my question is that, do you think that this above reported vulnerability might be affecting you in some manner. I may have missed something.

Please let me know.

Thanks and Regards

Sourabh

Sourabh Sarvotham Parkala

The Tools Team | Phosphor

WDF07 X1.65

[1] https://github.com/EsotericSoftware/kryo/issues/398

[2] https://github.com/eclipse-ee4j/jersey/tree/master/incubator/kryo/src/main/java/org/glassfish/jersey/kryo

Follow-Ups:
- Re: [jersey-dev] Kryo serialization issue in jersey
  - From: Jan Supol

Prev by Date: Re: [jersey-dev] Incoming Coupling and Outgoing Coupling of a Service
Next by Date: Re: [jersey-dev] Incoming Coupling and Outgoing Coupling of a Service
Previous by thread: [jersey-dev] Incoming Coupling and Outgoing Coupling of a Service
Next by thread: Re: [jersey-dev] Kryo serialization issue in jersey
Index(es):
- Date
- Thread

Breadcrumbs