topic Java Deserialization, it's still a thing... in Tech Talk https://community.isc2.org/t5/Tech-Talk/Java-Deserialization-it-s-still-a-thing/m-p/35229#M2632 <P><SPAN>Java deserialization vulnerabilities were&nbsp;discovered and disclosed in January 2015 by&nbsp;</SPAN><STRONG>Gabriel Lawrence and Chris Frohoff</STRONG><SPAN>. These serious vulnerabilities arise from the way in which Java deserializes serialized objects (see the&nbsp;</SPAN><A href="http://2.%20https//www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles" target="_blank" rel="noopener">presentation of Gabriel Lawrence and Chris Frohoff</A><SPAN>). The underlying flaw in Java has&nbsp;</SPAN><STRONG>not been fixed by Oracle</STRONG><SPAN>, most likely due to the&nbsp;impact a fix would have on various frameworks and libraries. However, many workarounds can be applied to prevent exploitation. What's new? If you are hunting for AppDefects try out this cool&nbsp;<A href="https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/" target="_blank" rel="noopener">Java Deserialization Scanner</A>.</SPAN></P> Mon, 09 Oct 2023 09:30:35 GMT AppDefects 2023-10-09T09:30:35Z Java Deserialization, it's still a thing... https://community.isc2.org/t5/Tech-Talk/Java-Deserialization-it-s-still-a-thing/m-p/35229#M2632 <P><SPAN>Java deserialization vulnerabilities were&nbsp;discovered and disclosed in January 2015 by&nbsp;</SPAN><STRONG>Gabriel Lawrence and Chris Frohoff</STRONG><SPAN>. These serious vulnerabilities arise from the way in which Java deserializes serialized objects (see the&nbsp;</SPAN><A href="http://2.%20https//www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles" target="_blank" rel="noopener">presentation of Gabriel Lawrence and Chris Frohoff</A><SPAN>). The underlying flaw in Java has&nbsp;</SPAN><STRONG>not been fixed by Oracle</STRONG><SPAN>, most likely due to the&nbsp;impact a fix would have on various frameworks and libraries. However, many workarounds can be applied to prevent exploitation. What's new? If you are hunting for AppDefects try out this cool&nbsp;<A href="https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/" target="_blank" rel="noopener">Java Deserialization Scanner</A>.</SPAN></P> Mon, 09 Oct 2023 09:30:35 GMT https://community.isc2.org/t5/Tech-Talk/Java-Deserialization-it-s-still-a-thing/m-p/35229#M2632 AppDefects 2023-10-09T09:30:35Z