Closed gmlewis closed 8 years ago
While I thank you for the patch and have no objections to it, I am a bit puzzled by your statement that is:
By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
My understanding is that the attack vector only applies to cases where serialization is involved. There is no such thing either in Shib or in this extension as far as I know. Thus, while the patch is very much welcome, I can't see this as a security issue. Makes sense?
SGTM. Closing.
Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/