[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jersey-dev] Kryo serialization issue in jersey
|
Hi Sourabh,
Kryo is well known for it possible attack when deserializing a java
class, and users should be aware of it when using Kryo. Kryo is marked
as @Beta and is not a default part of Jersey distributables, and not
part of application servers containing Jersey. It is an extension module
for experienced users who know what they use.
For more discussion, please use
https://github.com/eclipse-ee4j/jersey/pull/4541.
Thank you,
Jan
On 04.08.2020 12:19, Parkala, Sourabh Sarvotham wrote:
Hello,
I am Sourabh, working on security aspects of OSS libraries in SAP.
We came across a vulnerability associated to [1]. This vulnerability
is being reported from com.esotericsoftware:kryo:4.0.1, as part of
org.glassfish.jersey.media:jersey-media-kryo:2.29.1.
The vulnerability dictates that Type Registration should be turned on
by default.
I had a chance to look through your code in [2]. I see that you guys
are explicitly making sure that the Class Type registration happens by
default.
So my question is that, do you think that this above reported
vulnerability might be affecting you in some manner. I may have missed
something.
Please let me know.
Thanks and Regards
Sourabh
*Sourabh Sarvotham Parkala*
The Tools Team | Phosphor
WDF07 X1.65
[1] https://github.com/EsotericSoftware/kryo/issues/398
[2]
https://github.com/eclipse-ee4j/jersey/tree/master/incubator/kryo/src/main/java/org/glassfish/jersey/kryo
_______________________________________________
jersey-dev mailing list
jersey-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jersey-dev
