科技回声

8 条评论

kohsuke超过 9 年前

I'm from the Jenkins project.I wish the authors of this post gave us a heads up beforehand. It put our users at unnecessary risk.At Jenkins project, We've published a mitigation script (<a href="https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli" rel="nofollow">https://jenkins-ci.org/content/mitigating-unauthenticated-re...</a>) while we work out a better fix for users.

评论 #10528847 未加载

评论 #10527506 未加载

sprkyco超过 9 年前

One thing I really liked about the write-up is the thoroughness that everything was explained. Nothing was assumed. The author explains what burp is why it was used. Broke down the basics in a high level and the touched on the simple things. Showed exploits in multiple frameworks. Really a well done article just from a write-up perspective let alone the impact of the issue.

devonkim超过 9 年前

Anyone actually have a CVE I can reference in talks to leadership so I can not look like a neckbeard security geek that's acting self-important?

评论 #10528859 未加载

评论 #10550802 未加载

el_duderino超过 9 年前

Kenn White said it best: "This will get very ugly: unpatched, full remote exec on Java-based web svcs that use a popular serialization library

评论 #10523027 未加载

btilly超过 9 年前

This is very similar to the series of serialization vulnerabilities that hit the Ruby on Rails world in early 2013.Black hats are going to have fun with this one. :-(

based2超过 9 年前

<a href="https://www.reddit.com/r/netsec/comments/3rrr9z/what_do_weblogic_websphere_jboss_jenkins_opennms/" rel="nofollow">https://www.reddit.com/r/netsec/comments/3rrr9z/what_do_webl...</a><a href="http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3C20151106222553.00002c57.ecki%40zusammenkunft.net%3E" rel="nofollow">http://mail-archives.apache.org/mod_mbox/commons-dev/201511....</a><a href="https://www.owasp.org/index.php/Information_leak_through_serialization" rel="nofollow">https://www.owasp.org/index.php/Information_leak_through_ser...</a>

TazeTSchnitzel超过 9 年前

The first thing I thought was "written in Java". The more straightforward headline would have been better, I think.

评论 #10522160 未加载

评论 #10522534 未加载

pythonistic超过 9 年前

I had to backport a fix for a similar vulnerability in a Seam installation three years ago. The solution at the time was to limit the directories and sources from which serialized object representations could be read.

8 条评论

kohsuke超过 9 年前

评论 #10528847 未加载

评论 #10527506 未加载

sprkyco超过 9 年前

devonkim超过 9 年前

Anyone actually have a CVE I can reference in talks to leadership so I can not look like a neckbeard security geek that's acting self-important?

评论 #10528859 未加载

评论 #10550802 未加载

el_duderino超过 9 年前

Kenn White said it best: "This will get very ugly: unpatched, full remote exec on Java-based web svcs that use a popular serialization library

评论 #10523027 未加载

btilly超过 9 年前

This is very similar to the series of serialization vulnerabilities that hit the Ruby on Rails world in early 2013.Black hats are going to have fun with this one. :-(

based2超过 9 年前

TazeTSchnitzel超过 9 年前

The first thing I thought was "written in Java". The more straightforward headline would have been better, I think.

评论 #10522160 未加载

评论 #10522534 未加载

pythonistic超过 9 年前

A vulnerability in WebLogic, WebSphere, JBoss, Jenkins, OpenNMS and others

8 条评论

A vulnerability in WebLogic, WebSphere, JBoss, Jenkins, OpenNMS and others

8 条评论