Hello, the class org.eclipse.ceylon.compiler.java.language.SerializationProxy allows to build a very simple deserialization gadget.
I'm about to submit a merge request to ysoserial (https://github.com/frohoff/ysoserial), see here: https://github.com/supersache/ysoserial/commit/a65671e06dcec9f72e57dbccd422837e1c33249d.
If someone does java.io.ObjectInputStream.readObject() on untrusted data and ceylon-language-1.3.3 is in the class path, an attacker can achieve Remote Code Execution (or execute arbitrary Java code on behalf of the server). I have no clue how and where ceylon is used whether there is a realistic threat of exploitation.
I wanted to give you the opportunity to address this before the exploit code becomes public.
Hello, the class org.eclipse.ceylon.compiler.java.language.SerializationProxy allows to build a very simple deserialization gadget. I'm about to submit a merge request to ysoserial (https://github.com/frohoff/ysoserial), see here: https://github.com/supersache/ysoserial/commit/a65671e06dcec9f72e57dbccd422837e1c33249d. If someone does java.io.ObjectInputStream.readObject() on untrusted data and ceylon-language-1.3.3 is in the class path, an attacker can achieve Remote Code Execution (or execute arbitrary Java code on behalf of the server). I have no clue how and where ceylon is used whether there is a realistic threat of exploitation.
I wanted to give you the opportunity to address this before the exploit code becomes public.